Wordfence posted an article stating that on March 30th 2019, WordPress removed the Yuzo Related Posts plugin from its plugin directory due to an unpatched vulnerability that was being exploited in the wild. The vulnerability is the result of missing authentication checks when the plugin routines store settings in the database.
This could allow an unauthenticated attacker to inject malicious content into the plugin’s settings. Successful exploitation could result in website defacement, redirection to unsafe websites, or compromise of the WordPress administrator accounts. Wordfence analysts noted that this vulnerability shared commonalities with two other earlier plugin attacks on the plugins Social Warfare and Easy WP SMTP.
They also indicated that the same IP address, 18.104.22.168 , was used in all three campaigns attempting to exploit stored XSS injection vulnerabilities. This IP address was used in the Social Warfare and Easy WP SMTP campaigns. Wordfence recommended that sites with Yuzo Related Posts plugin installed remove the plugin from their site until a fix can be released by the author.
When a user visits a compromised website containing the payload, they will be redirected to malicious tech support scam pages.
Indicators of Compromise