Support » Plugin: Related Posts » Uninstall before you get hacked!

  • This morning my website was sort of hacked because of this plugin. The plugin has a leak which makes it for others possible to redirect your website URL’s to other shady websites (like news-tap, but also a lot of .tk domains). It also asks users for browser notifications (looking like they should accept this before they can go on). Please remove this plugin completely before the same happens to you.

    I guess that’s the reason why this plugin now is no longer available for download. The developers most have realized this. I regret that the developers did not even take the effort to inform the users about this (with an update stating: no longer safe, or something).

Viewing 9 replies - 1 through 9 (of 9 total)
  • From another thread in here:

    Same issue. People, uninstall, this plug-in has been compromised.

    Check the wp_options table:

    -- Show "infected" rows
    SELECT * FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';
    
    -- Delete rows
    DELETE FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';
    
    -- Delete all data related to the plug-in
    DELETE FROM wp_options  WHERE option_name LIKE '%yuzo%';

    I couldn’t find any other infected resources (like files). Luckily I had a pretty recent backup of my site from before the hack, did a file-level compare and didn’t find any changes. So it seems to only inject stuff into the database. But don’t take my word for it.

    mrjoseph

    (@josephhelela)

    This helped me find and remove the code from the database

    -- Show "infected" rows
    SELECT * FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';
    
    -- Delete rows
    DELETE FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';
    
    -- Delete all data related to the plug-in
    DELETE FROM wp_options  WHERE option_name LIKE '%yuzo%';
    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    For those disclosing the vulnerability, we ask that you please do not.

    Plugin Author Lenin Zapata ☄

    (@ilenstudio)

    Hello, I have had reports that they have broken the plugin in some way

    Recommendations:
    – Remove / Uninstall the plugin immediately.

    – Within your database go to the wp_options table and look for the value yuzo_related_post_options delete that record.

    – Do not delete the table of visits wp_yuzoviews, this does not influence the problem.

    Soon I will send an improved version of Yuzo for all users.

    Plugin Author Lenin Zapata ☄

    (@ilenstudio)

    @alhemicar I do not know but they must remove the plugin for security immediately even in the previous versions.
    I’m going to create some improvements and this will take me days

    Plugin Author Lenin Zapata ☄

    (@ilenstudio)

    some bad people have inserted a redirection, please remove the plugin immediately.

    Plugin Author Lenin Zapata ☄

    (@ilenstudio)

    @matrixpoland It was about security issues, not because I abandoned it.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Uninstall this plugin for now and follow these steps to delouse your site.

    Please remain calm and give this a good read.

    https://wordpress.org/support/article/faq-my-site-was-hacked/

    When you have successfully deloused your site then consider giving this a read too.

    https://wordpress.org/support/article/hardening-wordpress/

    Some of the replies here that helped have detailed information about that what to look for.

    https://wordpress.org/support/topic/immportant-uninstall-before-you-get-hacked/?view=all#post-11411992

    and

    https://wordpress.org/support/topic/immportant-uninstall-before-you-get-hacked/?view=all#post-11412190

    When a new release has been updated then consider installing that new version. For now, make sure the plugin has been removed and the plugin files have been deleted.

    This topic has been closed for a few reasons.

    • Users have elected to share the vulnerability. As another moderator replied, that’s not for here. The users who did that have had their account flagged for moderation. Moderated accounts will need their posts, replies and reviews approved by a moderator before anyone else can see that.

      This is a temporary flag and when the moderators are convinced that it will not happen again then the flag will be re-evaluated for that account.

    • The pile onto this topic doesn’t help anyone. I know you are concerned and that is legitimate. But this topic even went into a conversation with and about this author’s customers.

      That is not for these forums. If you are a customer of this author then contact them on their site. That is not a conversation for this volunteer support forum.

      https://wordpress.org/support/guidelines/#do-not-post-about-commercial-products

      I am positive that the author will want to discuss his customers concerns there.

    Please check your site and assume that the site has been compromised. Follow the instructions and if you are in need of help, then per the forum guidelines please start your own topic.

    https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

    For recovering a hacked WordPress installation you can do that in Fixing WordPress.

    https://wordpress.org/support/forum/how-to-and-troubleshooting/#new-post

    A site may be hacked via a specific plugin or theme but delousing a compromised site is not plugin specific. Posting in Fixing WordPress is the best place to get help for that.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    To everyone leaving comments – We don’t generally disclose WHY a plugin is closed in order to allow the developer time to fix it without causing permanent harm to their reputation.

    We are NEVER attempting ‘security through obscurity’ but really just trying to make sure people have a chance to fix things that may be more complex than they seemed.

    If you feel a plugin is insecure and needs to be fixed, please email plugins@wordpress.org and we can talk to you. But releasing this information in public sadly has the reverse outcome. That is, you end up putting MORE people at risk.

    I personally recommend that if a plugin has been closed for ANY reason more than 2 weeks, you uninstall it and find an alternative. That’s why we put the date on there for you 🙂 Anything without a date has been closed since before 2019, so that’s a safe bet. After 60 days, the overall reason why a plugin is closed will be disclosed, but not the specific details.

    It’s difficult to balance the needs of people to understand what’s happening and protecting them from bad people. This is not a perfect fix, but it’s what we’ve got right now, and we greatly appreciate you helping us with it.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Uninstall before you get hacked!’ is closed to new replies.