Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Zero-day in popular Yuzo Related Posts WordPress Plugin exploited in the wild

According to experts a vulnerability in the popular WordPress plugin Yuzo Related Posts is exploited by attackers to redirect users to malicious sites. The XSS flaw allows attackers to inject a JavaScript into the sites that redirect visitors to websites displaying scams, including tech support scams, and sites promoting unwanted software. The Yuzo Related Posts […]

Yuzo Related Posts

According to experts a vulnerability in the popular WordPress plugin Yuzo Related Posts is exploited by attackers to redirect users to malicious sites.

The XSS flaw allows attackers to inject a JavaScript into the sites that redirect visitors to websites displaying scams, including tech support scams, and sites promoting unwanted software.

The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019. after a zero-day vulnerability was publicly, and irresponsibly, disclosed by a security researcher the same day. 

The Yuzo Related Posts plugin is currently installed on over 60,000 websites worldwide that at the time of writing are yet to be notified.

Many users reported that threat actors in the wild have recently started exploiting the vulnerability, they noticed that their websites were redirecting users to unwanted sites.

According to security experts at WordFence, the vulnerability in Yuzo plugin stems from missing authentication checks in the plugin routines used to store settings in the database.

“The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database.” reads the blog post published by WordFence.

The Plugin author Lenin Zapata provided the following suggestion to halt the attack:

  • Remove / Uninstall the plugin immediately.
  • Within your database go to the wp_options table and look for the value yuzo_related_post_options delete that record.
  • Do not delete the table of visits wp_yuzoviews, this does not influence the problem.

Soon I will send an improved version of Yuzo for all users.

An attacker could inject an obfuscated JavaScript script in the yuzo_related_post_options value of the wp_options table.

Once deobfuscated, the script will create a new script tag with a source of https://hellofromhony[.]org/counter, which will be injected into the head of the page. When a user visits a compromised website will be redirected to malicious websites, such as tech support scam pages. 

Yuzo Related Posts flaw

WordFence researchers believe that the attacks were carried out by the same threat actors that targeted WordPress installs using the Social Warfare and Easy WP SMTP plugins.

The exploits against the above pluging have used a malicious script hosted on the domain hellofromhony[.]org, which resolves to 176.123.9[.]53, that is same IP address involved in the Social Warfare and Easy WP SMTP campaigns. All three campaigns leverage stored XSS injection vulnerabilities and have deployed malicious redirects.

“Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.” concludes WordFence

“Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]