Thousands of WordPress Sites Exposed by Yellow Pencil Plugin Flaw

More from: | Bleeping Computer |

The Yellow Pencil Visual Theme Customizer plugin was removed on Monday from the repository because of a privilege escalation bug which would have allowed potential attackers to update arbitrary options on vulnerable installations.

More to the point, after successfully exploiting the vulnerability, malicious actors could potentially change both the site and the home URLs with an unauthenticated SQL injection.

This is exactly what happened for a number of unlucky webmasters which had their WordPress websites hacked because of the vulnerability discovered in the plugin with has an install base of more than 30,000 websites, as reported on HERE, HERE, and HERE.

Yellow Pencil attacks part of a larger campaign

Even though 30,000 websites is definitely not negligible, what makes


Read full article »

About | Bleeping Computer |

Bleeping Computer® is a technical support site and a self-education tool for the novice user to learn basic concepts about Computer Technology. Our focus is to allow the novice computer user to be able to have a place that they can come and discuss computer/technology problems with their peers and at the same time have a rich resource in which to learn the "basics" about computers and technology.

We have found, with our extensive experience in helping users, whether they be family, friends, coworkers, or clients, that most technical support problems lie not with the computer, but with the fact that the user does not know the "basic concepts" that underlie all issues of computing. These concepts include hardware, files and folders, operating systems, Internet, and applications.

»Twitter: @BleepinComputer »Facebook: @BleepingComputer »YouTube: BleepingComputer