Another WordPress Plugin Under Attack, and Media Blames a Disgruntled Researcher. The wave of attacks on WordPress plugins continues to gain momentum. Let me remind you that last week unknown attackers attacked a vulnerability in the composition of the plugin Yuzo Related Posts. As a result, the criminals had the opportunity to redirect visitors to the affected sites to various scam resources, from fake technical support, to pages with ads or fake software updates that hide malware.
Experts of Defiant and Sucuri, warned that the exploitation of the vulnerability in Yuzo Related Posts is the same criminal group that used 0-day bugs in other plugins, Easy WP SMTP and Social Warfare last month .
Now a similar fate befell the Yellow Pencil Visual Theme Customizer plugin , installed over 30,000 times. Currently, it is still removed from the official WordPress repository, although developers have already released a fix that closes the flaw used by criminals.
Wordfence specialists explain that the plugin was attacked after an irresponsible and dangerous act of an unnamed information security researcher: he posted a description of two vulnerabilities in the Yellow Pencil Visual Theme Customizer on his blog and attached PoC-exploit to his report.
ArsTechnica journalists explain that in all the above cases, exploitation of vulnerabilities began after the publication of exploits and problem description on the Plugin Vulnerabilities website , which is positioned as a service provider for finding bugs in WordPress plugins, but no specifics about this company are known. In each case, the promulgated technical details and code were sufficient for the attackers to quickly take the vulnerabilities into service and launch attacks. In this case, prior to the publication of exploits, active attacks on problems were not recorded.
Interestingly, all three exploits were made public by the same unnamed researcher, and in posts on Plugin Vulnerabilities it was stressed that he does this in protest, as he is not satisfied with the moderation policy on the official WordPress support forums.
ArsTechnica representatives managed to contact this anonymous researcher and find out his version of events. The expert explained that he prefers to first publish information about bugs, and after that he tries to notify plugin developers about them. He tried to contact the developers through the aforementioned official WordPress support forums, but it turned out that “local moderators delete such messages too often, without warning anyone about this.”
It is emphasized that in the cases of Yuzo Related Posts and Yellow Pencil, the researcher paid attention to the plugins and studied them after an unexpected deletion from the official repository. Now he recognizes that the current exploitation of bugs and attacks on plug-ins can be due both to his posts with PoC-exploits, and to be the result of some parallel processes.
In this case, the anonymous author stressed that 11 days passed between the publication of the exploit for Yuzo Related Posts and the first attacks, which means that the developers have enough time to fix the problem. Moreover, the researcher once again emphasized that if the moderators of the official WordPress forums were doing their job, there would be no problem, and the users would not be in danger.
The journalists of ArsTechnica tried to understand where the roots of this hostility with the moderators go and who owns the Plugin Vulnerabilities.
Representatives of the publication noted that the copyright of White Fir Designs, LLC can be found in the “basement” of the Plugin Vulnerabilities site , and whois from pluginvulnerabilities.com and whitefirdesign.com showed that their owner is White Fir Designs of Greenwood Village in Colorado. After consulting with an open base of Colorado business data, the reporters found that the company White Fir Designs was founded in 2006 by a man named John Michael Grillot ( the John by Michael Grillot ).
According to this publication on Reddit, the hostility of the researcher with the moderators began long ago, since he openly published on the forums information about still unclosed bugs, and the moderators deleted first the posts themselves, and then completely blocked the specialist account. Thus, according to this message in Medium , the researcher was given a life ban, but he continued his activity, already using fake accounts. In addition, you can find an entry in the archives of Plugin Vulnerabilities , dated as early as 2016, which also raises the issue of the conflict of the self-proclaimed security provider with the support of the official WordPress forums.