Vulnerability in closed plugin Yuzo Related Posts [closed]
I do believe I just found it:The Yuzo Related Posts Plugin does not check for authentication when saving options.
So POSTing
yuzo_related_post_css_and_style=</style><script+language=javascript>alert('hacked');</script>
to /wp-admin/options-general.php?page=yuzo-related-post
will succeed, even if you're not logged in.
The Plugin is using is_admin()
to check for authentication, but that is a "false friend" and only checks if the accessed page is in the admin-area, not if a user is authenticated (nor authorized). See the Wordpress documentation.
A quick solution to keep using the plugin is just removing the settings option by putting false in the if-Statement in /assets/functions/options.php
line 1155:
function __construct(){ global $if_utils; $this->utils = $if_utils; if(false/* is_admin() */) self::configuration_plugin(); else self::parameters(); }
Update:
Hang Guan pointed to a Blog Post about this issue from last week, seems like it is "out in the wild" now.