Support » Plugin: Wordfence Security - Firewall & Malware Scan » Webpage hacked report – YellowPencil

  • Resolved NormanW

    (@yugogardner)


    I have been hacked this week by “hellomyhony.com” which blocked access to my desktop and redirected page visitors to their site.

    With the help of the Pinnacle theme forum, I’ve removed the offending code and recovered my site.

    BUT what has come out is that 20 people using the Pinnacle theme all have the plugin YellowPencil installed. It seems that this plugin is the culprit.

    I can’t find any way report this to WordPress, but there are probably thousands of users who may be affected.

    I don’t have the skill to look for the payload and determine whether YellowPencil is an innocent provider, but as a responsible site owner I’d like to report the suspicions.

Viewing 7 replies - 1 through 7 (of 7 total)
  • They already released an update for pro users.
    Anyone using the free version should access their phpmyadmin dashboard. Search for wp_options ==> edit the urls back to your own url.

    After this acces the wordpress admin dashboard, export all the CSS you have created, copy the css in the custom css section of your theme and publish.

    After that deactivate the free version of Yellow Pencil. They will release an updated free version.

    ***UPDATE***

    Issue patched and update available. READ THE INSTRUCTIONS !

    https://yellowpencil.waspthemes.com/docs/important-security-update/

    • This reply was modified 9 months, 3 weeks ago by insanity83NL.

    Thank you very much for this information @insanity83nl

    It is really useful. I have added a link to it in the Pinnacle Themes forum, where there are a lot of people who have been struck with this attack this week.

    Thank you for this info. I don’t use that theme but I do use Yellow Pencil Pro. My page was hit for 2 days. The only change I could find was in the database options. I’ve gone an installed numerous security plugins and have done all the usual changes such as renaming database, path names and passwords. And it happened again. I just installed the yellow pencil update. Fingers are crossed. Are there any other files we should look at besides the database options that could have been changed?

    • This reply was modified 9 months, 3 weeks ago by mollycakes.

    @yugogardner
    No problem πŸ˜‰
    A change for everyone the get the pro version for free πŸ˜‰

    @mollycakes
    No other changes needed to be made. You’ve done what needed to happen πŸ˜‰

    • This reply was modified 9 months, 3 weeks ago by insanity83NL.

    My client also was hacked because he used YellowPencil plugin. We didn’t have WordFence. My question is, would WordFence have prevented hackers from exploiting the YellowPencil vulnerability?

    I had word fence and all in one security installed and my site was still hacked.

    Not a peep from word fence which usually alerts me about everything. Why? Because the hacker was able to gain admin rights in my WP, do the damage and delete the change logs.

    I was using the jnews theme at the time which comes with yellow pencil, the yellow pencil plugin was installed but not activated.

    I deleted the YP plugin, and all my admins including myself and used new email address for new admin accounts, as those bastards had set up themselves as admins as I said before, so they knew what admin names to look for when trying to get back in. Unfortunately I did not save the email addresses they added, I was working as they were trying to hack my site. They used IP addresses from US, China, Ukraine and UK. I also added Sucuri to my site to check for and malware…. so far so go…

    Plugin Support wfdave

    (@wfdave)

    Hi everyone,

    This was noticed by the Wordfence team pretty quickly and rules have been put in place to stop these types of attacks targeting sites with an old version of YellowPencil.

    https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/

    Dave

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Webpage hacked report – YellowPencil’ is closed to new replies.