Yuzo Related Posts

More of CVE’s Inaccurate Information on WordPress Plugin Vulnerabilities

Earlier this week we noted that in starting to take a closer look at CVE entry data on vulnerabilities in WordPress plugins we found that their information can be problematic. An entry added in the last day is even worse. Here is the information given for CVE-2019-11869:

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting. [Read more]

Why Are Journalist Spreading Wordfence’s (aka Defiant’s) Lies About Us?

Here’s a timeline of the recent situation with the WordPress plugin Related Posts (Yuzo Related Posts):

March 30 – The plugin was closed on the WordPress Plugin Directory.
March 30 – We notice the closure and find that the plugin contains an exploitable vulnerability.
March 30 – We put out post warning about that vulnerability and pointed out the problem with closing plugins with undisclosed vulnerabilities.
March 30 – We notify the developer of the plugin about the vulnerability through the WordPress Support Forum.
April 2 – Developer submits new version of plugin that appears to be intended to fix a different vulnerability and seemingly unintentionally fixes another one.
Approximately April 9 or 10 – Vulnerability we warned about is widely exploited.

Yet here was Lawrence Abrams at the Bleeping Computer yesterday: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Yuzo Related Posts