We are seeing today a lot of hacked WordPress blogs due to a critical zero-day vulnerability in the WordPress YellowPencil Visual CSS Style Editor plugin which has 30,000+ active installations.
The vulnerability was fixed in version 7.2.1 on April 16, 2019.
The plugin has been closed by wordpress.org on April 8 (but it seems to be available on codecanyon.net), and a full disclosure including a POC published on the www.pluginvulnerabilities.com blog the following day.
The vulnerability allows an unauthenticated user to update WordPress options which can lead to redirecting the home page or getting full admin access to the CMS among other actions. The vulnerability is similar to the Easy WP SMTP plugin vulnerability we discovered last month.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) or NinjaFirewall WP+ Edition (premium), you are protected against this type of vulnerability.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet