Zero-day vulnerability in WordPress YellowPencil Visual CSS Style Editor plugin actively exploited.

We are seeing today a lot of hacked WordPress blogs due to a critical zero-day vulnerability in the WordPress YellowPencil Visual CSS Style Editor plugin which has 30,000+ active installations.

The plugin has been closed by wordpress.org on April 8 (but it seems to be available on codecanyon.net), and a full disclosure including a POC published on the www.pluginvulnerabilities.com blog the following day.

The vulnerability allows an unauthenticated user to update WordPress options which can lead to redirecting the home page or getting full admin access to the CMS among other actions. The vulnerability is similar to the Easy WP SMTP plugin vulnerability we discovered last month.

There is no fix available yet.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) or NinjaFirewall WP+ Edition (premium), you are protected against this type of vulnerability.