Skip to main content

Three WordPress plugins 0day vulnerabilities uncovered, thousands compromised

(Image credit: Image source: Shutterstock/lolloj)

The more moving parts a website has, the more potential vulnearbilities and entry points it may have, also. This is particularly true with WordPress, whose platform revolves, in good measure, around different plugins.

Each plugin is a potential disaster waiting to happen, and the bigger the userbase of a specific plugin, the bigger the headline once it hits the fan.

That puts enormous pressure on plugin developers to keep their products secure and up-to-date, as well as webmasters to make sure they update their platform regularly.

On the other hand, security researchers that discover vulnerabilities, usually do the honourable thing – they notify the developers of any discovered vulnearbility and keep their mouths shut until a patch is released. Only then do they usually announce their findings and pick up the royalties.

Not this person, however. Today's 'hero of the day' is an individual that publicly disclosed three 0day vulnerabilities in different WordPress plugins, exposing some 160,000 websites to hacking attempts, before notifying the plugins' respective owners.

Two plugins got all the media attention – Yuzo Related Posts and Yellow Pencil Visual Theme Customiser. WordPress was first to react, removing both plugins from its repository. Yellow Pencil patched things up three days later, while Yuzo is yet to react.

The third plugin is Social Warfare, used by some 70,000 people. They patched things up.

You can find more details about the attacks on this link (opens in new tab).

Image source: Shutterstock/lolloj

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.