Over the last three weeks, a trio of critical zero-day vulnerabilities in WordPress plug-ins has exposed 160,000 Web sites to attacks that allow criminal hackers to redirect unwanted visitors to malicious targets. A self-proclaimed security provider, who publicly announced the bugs before patches were available, played an important role in the debacle, although delays by plug-in developers and site administrators when publishing and installing patches also helped.
Zero Vulnerabilities Found in Last Week Both the Yuzo Related Posts and the Yellow Pencil Visual Theme Customizer have attacked WordPress plugins used by 60,000 and 30,000 websites, respectively. Both plugins were removed from the WordPress plug-in repository at the time the zero posts were published, leaving websites with no choice but to remove the plug-ins. Yellow Pencil released a patch three days after it became aware of the vulnerability on Friday. At the time of this post, Yuzo Related Posts were closed without a patch being available.
In-the-Wild exploits against Social Warfare, a plug-in used by 70,000 sites, started three weeks ago. The developers for this plugin quickly fixed the bug, but not before hacking sites that used the plugin.
Fraud and Online Transplant
All three exploit waves have resulted in websites using the vulnerable plug-ins directing visitors to sites that are driving tech support scams and other forms of online grafting. In all three cases, exploits occurred after a Web site called Plugin Vulnerabilities published detailed information about the underlying vulnerabilities. The posts contained sufficient code to prove evidence of the exploit and other technical details to facilitate hacking vulnerable sites. Some of the codes used in the attacks seem to have been copied and pasted by the posts for plugin vulnerabilities.
Within hours of plug-in vulnerabilities publishing the Yellow Pencil Visual Theme and Social Warfare releases, the zero-day vulnerabilities were actively exploited. It took 1
All three posts from the plug-in vulnerabilities contained a boilerplate language stating that the unnamed author was releasing them in protest, "the moderators of the WordPress support forum continue to behave inappropriately. "The author informed Ars that he was just trying to notify developers after the zero days had already been published."
"Our current disclosure policy is to fully expose vulnerabilities and then notify the developer through the WordPress support forum, though the moderators often try to delete these messages and not inform anyone about them, "the author wrote in an email.
According to a blog post Warfare Plugins by Social Warfare released on Thursday, here's the schedule for the 21st March, when plugin vulnerabilities dropped the Zeroday for this plugin:
2:30 pm (Approx) – Unnamed: individual has released the exploit that hackers can benefit from, we do not know the exact time of publication because the person hides the publication time, attacks on unsuspecting websites start almost immediately.
02:59 PM – WordPress detects the release of the vulnerability, removes Social Warfare from the WordPress.org repository, and sends an e-mail to the team.  03:07 PM – In a responsible, respectable manner, WordFence publishes the discovery of the release and the vulnerability and gives no details on how to exploit the exploit.
03:43 PM – Each member of the Warfare Plugins team is updated with tactical instructions and begins to respond to the situation in their respective areas: Development, Communications and Customer Support ] 16:21 PM – A notification that we are aware of the exploit, along with instructions for disabling the plugin until it was patched, was posted on Twitter as well posted on our website.  05:37 PM – The Warfare Plugins development team sets final code commits to address the vulnerability and reverse any malicious script insertion that redirected Web sites. Internal tests begin.
17:58 PM – After thorough internal testing and sending a patched version to WordPress for review, the new version of Social Warfare (3.5.3) is released.
06:04 PM – Email to all Social Warfare – Pro customers are sent with details about the vulnerability and immediate upgrade instructions.
No Regrets The author said he searched for security after Yuzo Related Posts and Yellow Pencil, after noticing that they had been removed from the WordPress plugin repository without any explanation and became suspicious , "While our posts could have led to exploitation, [sic] it is possible for a parallel process to take place," the author wrote.
The author also pointed out that eleven days passed between the publication of the Yuzo Related Posts nulloday and the first known reports were exploited. These exploits would not have been possible had the developer fixed the vulnerability during this interval.
Asked if there was any remorse for the innocent end-users and site owners who were damaged by the exploits, the author said, "We do not have direct knowledge of what hackers are doing, but it's likely that our disclosure of exploitation attempts could have led. These full disclosures would have ceased long ago if the moderation of the support forum were merely cleared up, and any damage caused by it could have been avoided if they had simply agreed to it. "
The author declined to do so. Give a name or identify any plugin vulnerabilities, except that it is a service provider that identifies vulnerabilities in WordPress plugins. "We try to stay a step ahead of hackers because our customers pay us to warn them about vulnerabilities in the plugins they use, so it's better to warn them before they can be exploited."
Whois plug-in vulnerabilities?
The Plugins Vulnerability Web site has a copyright footer on each page that lists White Fir Designs, LLC. Whois records for pluginvulnerabilities.com and whitefirdesign.com also list the owner as White Fir Designs of Greenwood Village, Colorado. A business database search for the state of Colorado shows that White Fir Designs was founded in 2006 by someone named John Michael Grillot. In 2014, the US Secretary of State changed the legal status of White Fir Design from "in good standing" to "delinquent" in order not to file "Periodic Report".
The author's core with moderators of the WordPress support forum threads like this one is that they remove their posts and delete their accounts when exposing unprotected vulnerabilities in public forums. A recent media article said he was "suspended for life", but had vowed to continue the practice indefinitely with fictitious accounts. Posts like this one show that public outrage at plugin vulnerabilities to WordPress support forums has been in progress since at least 2016.
Of course, there are many guilt feelings about recent exploits. WordPress plug-ins used by WordPress have long been the biggest security risk for websites running WordPress. So far, the developers of the open source CMS have found no way to improve the quality sufficiently. In addition, it often takes too long for plug-in developers to fix critical vulnerabilities, and site administrators need to install them. The blog entry for Warfare Plugins is one of the best excuses that has ever been made to miss the critical bug before it was exploited.
But most of the blame lies with a self-described security vendor who willingly admit zero days as a form of protest or, alternatively, a way to ensure customer safety (as if an exploit code were required). Without apology and no remorse from the publisher – not to mention a staggering number of buggy, poorly-reviewed plugins in the WordPress repository – it would not be surprising to see further zero disclosures in the coming days.