There is a vulnerability in the wordpress plugin yuzo related posts, but no update has been released. this article explains how to resolve the vulnerability in yuzo related posts.


yuzo related posts vulnerability

yuzo related posts is a plugin for displaying recommended articles and is used by quite a few sites in Japan, but it is vulnerable to an arbitrary script embedded in the database.

However, since the creator has stopped development, no patch has been released and downloading has been stopped from the official WordPress website.

Therefore, the only way to resolve the vulnerability is to stop and remove the plugin or plug the vulnerability manually.

Incidentally, the plugin can be downloaded from sites other than the official site, such as Github, but since the source is not official, there is a possibility that some malicious code may be included in the plugin.

yuzo related posts vulnerability is manually plugged.

The yuzo related posts vulnerability is located in the following code around line 1000 of the /assets/functions/options.php file.
In this code, is_admin() is used to save the settings if the code is in the admin panel, which means that the plugin settings can be rewritten even if the user is not logged in.
You can also embed arbitrary malicious code in this setting.

function __construct(){
    global $if_utils;.
    $this->utils = $if_utils;
    if( is_admin() )
        self::configuration_plugin();
    else
        self::parameters(); }
}

By rewriting if( is_admin() ) as follows, only the administrator can change the plugin configuration, thus avoiding the vulnerability for the time being.

if( is_admin() ) → if( is_admin() && current_user_can( ‘administrator’ ))

[Free] WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].