Revealed three zero-day WordPress plugin flaws before they were corrected
A self-styled security provider revealed the details of three zero-day flaws on just as many Wordpress plugins before they were resolved, endangering the health of over 160,000 websites and exposing their visitors to risks.
During the last few weeks a set of zero-day vulnerabilities related to some WordPress plugins has exposed at least 160 thousand websites to compromises able to lead, in the last instance, to the redirection towards harmful sites the unsuspecting visitors.
The ” offending ” plugins are Yuzo Related Posts and Yellow Pencil Visual Theme Customizer, whose vulnerabilities were identified last week, while a flaw related to the Social Warfare plugin was identified three weeks ago.
A key role in the story – in addition to a certain latitude in the distribution of patches by developers and their installation by website administrators – was played by a self-proclaimed and self-proclaimed ” security provider ” that he publicly revealed on the site Plugin Vulnerabilities details of the flaws, together with a series of proof-of-concept code lists that can exploit them, before the availability of patches to solve the problem.
The first violations of the websites using the three indicted plugins occurred in the hours immediately following the publication of the details by Plugin Vulnerabilities. The exploitation of the flaws identified in the three plugins occurred only after the details were published, and in some cases the attacks were performed using the proof-of-concept code with a simple copy / paste.
However, the publication by Plugin Vulnerabilities seems to be a form of protest against the moderators of the Wordrpress support forum who, according to the anonymous individual who identified the three security flaws, would have behaved inappropriately when he reported the problem on the forum: his post would have been deleted without explanation.
The disagreements between Plugin Vulnerabilities and the team of moderators of the WordPress support forum would still go back a few years: according to a blog post from the company, at least to 2016.
Plugin Vulnerabilities wants to continue to remain anonymous, hiding behind a statement of circumstance: ” We are trying to anticipate hackers, as our customers pay us to warn them of any vulnerabilities in the plugins they use, and it is obviously better to warn them before they may be compromised instead of later “.
The Yuzo Related Posts and Yellow Pencil Visual Theme Customize plugins have been removed without explanation from the WordPress plugin catalog, a hint that suggests how the report made on the forum had some kind of effect.
This is an undoubtedly unpleasant event, which teaches – or confirms – two things: on the one hand, the WordPress development team has not yet found a sufficiently convincing and effective way to reduce the risks deriving from the security problems of third-party plugins, on the other hand, how the lack of responsiveness in distributing corrective patches can represent an even bigger problem.
But this affair also raises an alarm: publicly disclosing details of a zero-day flaw as a form of protest is highly irresponsible behavior, which could trigger emulation episodes with particularly serious consequences.
