cbcvebase.
CVE-2019-11886
published 2019-05-13

CVE-2019-11886: The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as…

PriorityP274high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.89%
77.0th percentile
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.

Affected

1 ranges
VendorProductVersion rangeFixed in
yellowpencilvisual_css_style_editor< 7.2.17.2.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-post.php?yp_remote_get=test
commandyp_json_import_data=[{"users_can_register":"MQ=="}]
commandyp_json_import_data=[{"users_can_register":"MA=="}]
path/wp-content/plugins/yellow-pencil-visual-theme-customizer/
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-post.php with the query parameter yp_remote_get, which is the attack vector for this CSRF/privilege escalation vulnerability.
  • Look for the yp_json_import_data POST body parameter containing base64-encoded values (e.g., MQ== for '1', MA== for '0') targeting the users_can_register WordPress option, indicating an attempt to enable open registration for privilege escalation.
  • Confirm plugin presence on a target by searching for the plugin path string in page body, as used in FOFA fingerprinting.
  • Successful exploitation can be validated by checking /wp-login.php for the presence of 'wp-login-register', indicating open user registration was enabled by the attacker.
  • ·The exploit uses a two-step flow: first enabling user registration (MQ== = '1') via yp_json_import_data, then reverting it (MA== = '0') after account creation. Detection logic must account for both POST requests as part of the same attack chain.
  • ·The vulnerability is exploitable without authentication (CSRF), meaning no session cookie or authentication header is required in the malicious POST request.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.