Because of a privilege escalation bug which would have allowed potential attackers to update arbitrary options on vulnerable installations, Yellow Pencil Visual Theme Customizer plugin was removed from the WordPress.org repository .
More to the point, after successfully exploiting the vulnerability, malicious actors could potentially change both the site and the home URLs with an unauthenticated SQL injection.
This is exactly what happened for a number of unlucky webmasters which had their WordPress websites hacked because of the vulnerability discovered in the plugin with has an install base of more than 30,000 websites,
Yellow Pencil attacks part of a larger campaign
Even though 30,000 websites is definitely not negligible, what makes this vulnerability even more interesting is that, according to the Wordfence research team, it was exploited by hackers as part of a larger campaign run by the same threat actor.
As explained by the Wordfence researchers:
We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.
Exploits so far are using a malicious script hosted on a domain,
hellofromhony[.]com, which resolves to176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.
The bug enabling the attacks in the Yellow Pencil Visual Theme Customizer plugin is present in the yellow-pencil.php file and it is caused by the fact that the yp_remote_get_first() function will check if the yp_remote_get request parameter has been set on every page load.
If the parameter status checks out, the plugin will automatically elevate the privileges of the logged in used to administrator for “the remainder of the request,” making it possible for unauthenticated users to perform actions usually reserved only to website admins.
Fix available, available for download
The development team behind the Yellow Pencil Visual Theme Customizer WordPress plugin patched the issue today and is now providing a download link to apply the patch.
We fixed the vulnerability with 7.2.0 version. We are so sorry.
There an update button will appear on your WordPress panel, Click on “update” button to update the latest version. If you don’t see the update button there, delete the plugin and update the plugin manually.
Please follow these steps to update the plugin manually:
-
Deactivate and delete the old version from WordPress Panel. (CSS changes will stay safe in your database, no worry.)
-
Download YellowPencil 7.2.0v Update.
-
In the WordPress dashboard, Click Plugins > Add New.
-
Click Upload Plugin, and choose the file you’ve downloaded for YellowPencil.
WaspThemes, the plugin’s developers, also acknowledged that there are some “WordPress websites affected by a hack attack” caused by a security issue in the visitor view tool, and provide two procedures to fix them:
First Method
Restore the WordPress database to backup. This is the safest and quick method. Please contact your server provider, they will help you to backup your database.
Second Method:
-
Log into your WordPress database with phpMyAdmin through your hosting control panel.
-
Navigate to the table wordpress_options table
-
Edit the first two rows “siteurl” and “home” back to your domain e.g. https://mydomain.com
-
Click on your database name in the left panel of phpMyAdmin and then click the Search button along the top bar and search all of your tables for the name of the malicious domain that your website was redirecting to with ‘ ’ either side e.g. %baddomain to find any remaining records.