Here’s a timeline of the recent situation with the WordPress plugin Related Posts (Yuzo Related Posts):
- March 30 – The plugin was closed on the WordPress Plugin Directory.
- March 30 – We notice the closure and find that the plugin contains an exploitable vulnerability.
- March 30 – We put out post warning about that vulnerability and pointed out the problem with closing plugins with undisclosed vulnerabilities.
- March 30 – We notify the developer of the plugin about the vulnerability through the WordPress Support Forum.
- April 2 – Developer submits new version of plugin that appears to be intended to fix a different vulnerability and seemingly unintentionally fixes another one.
- Approximately April 9 or 10 – Vulnerability we warned about is widely exploited.
Yet here was Lawrence Abrams at the Bleeping Computer yesterday:
On March 30th, 2019, the developer of Yuzo Related Posts removed the plugin from the WordPress plugin directory after a WordPress security company publicly disclosed the vulnerability. While this prevented new users from being infected, the 60,000+ existing installs were not notified and thus were vulnerable.
The Yuzo developer took down the plugin on March 20th after the researchers at Pluginvulnerabilities.com publicly disclosed a proof of concept of the vulnerability.
And here was Catalin Cimpanu at ZDNet’s Zero Day:
Today’s massive hacking campaign could have been avoided if only the web developer who found the Yuzo Realted Posts plugin vulnerability would have reported the issue to its author instead of publishing proof-of-concept code online.
As a result of making this proof-of-concept code available for everyone, the plugin was removed from the official WordPress Plugins repository on the same day, preventing future downloads until a patch was to be made available.
However, this didn’t remove the plugin from all the sites around the world, which all remained vulnerable. At the time of its removal, the plugin had been already installed on more than 60,000 sites, according to official WordPress.org stats.
Things got so desperate today in the early hours of the attacks that the plugin’s author called on users to “remove this plugin immediately” from their sites until an update would be available.
If you read our original post it is largely is focused on the impact of closing plugins with security vulnerabilities, since it paints a target on them, yet somehow these article miss that the plugin was already closed when we warned about the vulnerability. What was going on? Well noticeable neither links to our post, but they do link to a post from Wordfence (aka Defiant) that lies about what happened. Right at the beginning they lie about the timeline:
The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day.
Here they make no sense, seeing as there was plenty of time to fix this and this was exploited well after our post, so who knows if the hacker was aware of our post:
As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.
Security journalists seem to have blindly repeated that line of thought and didn’t think through the fact that there was plenty of time for this to have been fixed before it was exploited, but it wasn’t. We have repeatedly offered to provide fixes for unfixed vulnerabilities likely to be exploited, which the WordPress Plugin Directory team could then check over and apply, but they have shown no interest in that. That would be something to cover.
Repeating claims made by Wordfence is not a good idea since we have seen for years that they don’t seem to have a problem with lying, especially if it involves a lie that makes them look better or makes someone else look worse.
One reason they might want to lie about this and not link to our post, is that not only could people could see they are lying, but also that we noted this in it:
If you were relying on other security companies, you were in trouble as they didn’t even know about that until well after the fact. For example, Wordfence wrote about this being exploited only on November 20 and started their post:
News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites.
News didn’t break that previous week, which started November 11, seeing as we had already warned that hackers were targeting this as of six days before that (the person that wrote their post has the title of “threat analyst”, which apparently doesn’t mean much). That was rather problematic when you consider that Wordfence had to write a new rule to protect against this:
The Wordfence firewall has a new rule that defends sites against this exploit.
So they couldn’t protect against that until after they knew about it, which was well after the fact. At the point they were warning about this, the plugin had already been reopened, so they provided protection slower than simply keeping your plugins up to date.
We left this comment on Wordfence’s post:
We are the “security researcher” you are referring to here, though we are actually a service provider named Plugin Vulnerabilities. If you actually read our post on this vulnerability, https://www.pluginvulnerabilities.com/2019/03/30/wordpress-plugin-team-paints-target-on-exploitable-settings-change-vulnerability-that-permits-persistent-xss-in-related-posts/, you will see that we only became aware and warned about the vulnerability after the plugin was already closed. That occurred on March 30, so there was plenty of time for this to have been fixed before it was exploited.
Well they approve it? Probably not.