CVE-2019-11886
published 2019-05-13CVE-2019-11886: The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as…
PriorityP274high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.89%
77.0th percentile
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yellowpencil | visual_css_style_editor | < 7.2.1 | 7.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-post.php with the query parameter yp_remote_get, which is the attack vector for this CSRF/privilege escalation vulnerability. ↗
- →Look for the yp_json_import_data POST body parameter containing base64-encoded values (e.g., MQ== for '1', MA== for '0') targeting the users_can_register WordPress option, indicating an attempt to enable open registration for privilege escalation. ↗
- →Confirm plugin presence on a target by searching for the plugin path string in page body, as used in FOFA fingerprinting. ↗
- →Successful exploitation can be validated by checking /wp-login.php for the presence of 'wp-login-register', indicating open user registration was enabled by the attacker. ↗
- ·The exploit uses a two-step flow: first enabling user registration (MQ== = '1') via yp_json_import_data, then reverting it (MA== = '0') after account creation. Detection logic must account for both POST requests as part of the same attack chain. ↗
- ·The vulnerability is exploitable without authentication (CSRF), meaning no session cookie or authentication header is required in the malicious POST request. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hrmr-jgrx-82h5: The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7
ghsa_unreviewed·2022-05-24
CVE-2019-11886 [HIGH] GHSA-hrmr-jgrx-82h5: The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
VulnCheck
yellowpencil visual_css_style_editor Cross-Site Request Forgery (CSRF)
vulncheck·2019·CVSS 8.8
CVE-2019-11886 [HIGH] yellowpencil visual_css_style_editor Cross-Site Request Forgery (CSRF)
yellowpencil visual_css_style_editor Cross-Site Request Forgery (CSRF)
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
Affected: yellowpencil visual_css_style_editor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/
No detection rules found.
Nuclei
Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
nuclei·CVSS 8.8
CVE-2019-11886 [HIGH] Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
Template:
id: CVE-2019-11886
info:
name: Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
author: daffainfo
severity: high
description: |
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
impact: |
Unauthenticated attackers can exploit CSRF to escalate privileges to administrator level, gaining complete control over the WordPress sit
No writeups or analysis indexed.
https://wordpress.org/plugins/yellow-pencil-visual-theme-customizer/#developershttps://wpvulndb.com/vulnerabilities/9256https://www.pluginvulnerabilities.com/2019/04/09/recently-closed-visual-css-style-editor-wordpress-plugin-contains-privilege-escalation-vulnerability-that-leads-to-option-update-vulnerability/https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/https://wordpress.org/plugins/yellow-pencil-visual-theme-customizer/#developershttps://wpvulndb.com/vulnerabilities/9256https://www.pluginvulnerabilities.com/2019/04/09/recently-closed-visual-css-style-editor-wordpress-plugin-contains-privilege-escalation-vulnerability-that-leads-to-option-update-vulnerability/https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/
2019-05-13
Published
Exploited in the wild