Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild
Yep. Another zero-day exploit of a WordPress plugin announced to the world irresponsibly by a researcher.
The way this is supposed to work: Researcher finds an exploit. He notifies the plugin developer and gives said developer time to develop a patch.
Developer makes the patch and makes it available to the public. THEN the researcher makes the announcement that he discovered a vulnerability.
This asshole skipped a couple steps.
More from Wordfence:
On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.
We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.Wordfence, April 11, 2019
There are at least two potential remedies to you if you're using the Yellow Pencil plugin:
- Remove it and wait for a patch
- Get Wordfence Premium