Bug Bounty Log: Yuzo Related Posts Stored XSS Vulnerability (2020)

As part of my bug bounty work in 2020, I discovered a critical security issue affecting the Yuzo Related Posts plugin on WordPress. While this vulnerability was promptly patched and the case is now closed, it remains a valuable example of the importance of vigilant plugin management and proactive security.

Summary of the Stored XSS Vulnerability

A Stored XSS vulnerability arises when user-supplied input is accepted and stored without proper sanitization, then output to users, allowing script execution in the browsers of anyone viewing the affected content. In 2020, I found such a flaw within the settings menu of the Yuzo Related Posts plugin. This allowed attackers to inject JavaScript directly into the WordPress database, posing risks to both admins and visitors. Thankfully, quick reporting and responsive patching ensured this issue was short-lived.

Vulnerability Details

Here are the core details as they appeared at the time:

  • Website Hosting: iPage (a web hosting provider, now part of Network Solutions)
  • Platform: WordPress
  • Vulnerable Plugin: Yuzo Related Posts
  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • Severity Rating: High/Critical (due to lack of strong access controls)

Technical Analysis

The root of the exploit lay in the plugin’s admin interface.

The Vulnerable Endpoint

Attackers could target the backend at:
/wp-admin/admin.php?page=yuzo-related-post

The plugin did not reliably check a user’s authorization when changing settings, exposing a major risk.

The Targeted Parameter

The parameter yuzo_related_post_css_and_style accepted custom input. Without validation, attackers could inject <script> tags instead of CSS styles.

Proof of Concept (Payload)

At the time, I demonstrated the vulnerability with a simple HTTP POST carrying:

</style><script>alert('XSS Vulnerability Exploited');</script>

If a page displayed this field, the browser would execute the script. In real-world exploits, this could be swapped for cookie stealers or redirects.

Root Cause Analysis

Two main issues contributed:

  • Missing Authorization: No robust checks like is_admin() or WordPress nonces, letting unauthenticated POSTs through.
  • No Output Sanitization: The plugin did not use wp_kses_post() or esc_html(), trusting input from the database.

Impact of the Vulnerability

Back in 2020, possible consequences included:

  • Malicious Redirects: Unwitting visitors sent to external sites.
  • Session Hijacking: Admin cookies could be stolen, giving attackers backend access.
  • Backdoor Accounts: Hidden admins created for persistent access.
  • SEO Issues: Google warnings and loss of client trust.

Timeline of Disclosure and Patching

This vulnerability is a strong example of responsible disclosure leading to rapid improvement:

  1. Discovery: I reported the stored XSS in early January 2020.
  2. Public Disclosure: Security advisories raised awareness among site operators.
  3. Plugin Removed: The plugin was temporarily taken down to protect users.
  4. Patch Released: The developer quickly released an updated, secure version.

Resolution and Prevention Strategies

While this vulnerability is long since patched, the response path provides lasting lessons for site owners and devs.

Step 1: Remove or Update Vulnerable Plugins

Uninstall or update outdated plugins ASAP to close security holes.

Step 2: Clean the Database

Check for any lingering malicious payloads in the database, such as inside yuzo_related_post_options in the wp_options table.

Step 3: Implement Security Layers

A Web Application Firewall (WAF) protects against future injection attacks.

Step 4: Ensure Regular Backups

Reliable, automated backups let you restore quickly from any incident.

Securing Your WordPress Environment: Lessons Learned

Looking back, this case was a textbook demonstration of the risks posed by neglected plugins and the power of responsible, coordinated disclosure. Even years later, the lessons are clear: always audit your plugins, sanitize input and output, and keep your software up to date. These basic steps are the foundation of long-term WordPress security.

Original report:
https://www.openbugbounty.org/reports/1055611/36e4d8de65ddeae882bfaee78743e00c/