As part of the popular plugin Yuzo Related Posts An XSS vulnerability has been discovered in WordPress with over 60,000 installs. The attackers quickly took advantage of the bug, staging a large-scale and coordinated attack against vulnerable resources, which, among other things, affected the popular mail service Mailgun. The discussion about the attacks has already unfolded on the official WordPress forums (1,
2, 3), as well as on StackOverflow.
The problem allows attackers to inject malicious code onto a vulnerable site, which is then used to redirect visitors to various scam resources, from fake technical support, to pages with ads or fake software updates hiding malware.
The main problem is that the researchers who discovered the vulnerability in the plugin not only reported the bug to the developers, but and published in the public domain a proof-of-concept exploit for it. As a result, the plugin was temporarily removed from the official WordPress repository until the developers prepare a fix. Looking at the scale of the attack, representatives of Yuzo Related Posts
called on users to urgently remove the plugin from the sites and wait for the release of the patch. According to experts companies Defiant and
Sucuri, the same criminal group is behind the exploitation of the vulnerability in Yuzo Related Posts, which last month used for attacks 0-day bugs in Easy WP SMTP and Social Warfare plugins. The fact is that the exploits of the attackers relied on a malicious script hosted on hellofromhony[.]org (176.123.9[.]53), which is the same address that was already seen during the campaign against Social Warfare and Easy WP SMTP.