shakaran/patch-yuzo-related-post.php

## patch-yuzo-related-post.php
<?php
/**
@author Ángel Guzmán Maeso <angel@guzmanmaeso.com>
@web https://shakaran.net/blog
This is another similar Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin and Social Warfare Plugin but for another
plugin with the same problem called "Related Post" or "yuzo-related-post".

"This plugin was closed on March 30, 2019 and is no longer available for download."
https://wordpress.org/plugins/yuzo-related-post/
https://yuzopro.com

This is cleaner script for security vulnerability related with "Related Post" from Yuzo or Lenin Zapata (http://ilentheme.com/).

This version only covers "Related Post" settings infected
Exploitation Level: Very Easy / Remote
DREAD Score: 9.4
Vulnerability: Arbitrary Option Update
Patched Version: 1.3.9.1
Instructions: Just upload this to your root worpdress base instalation folder, where the wp-load.php is present and execute the file
via HTTP request o php CLI. It would replace the affected value for Social Warfare settings if infected

@see https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html
@see https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/
@see https://twitter.com/unmaskparasites/status/1109085601763155970
*/

require_once 'wp-load.php';
$yuzo_related_post_options = get_option('yuzo_related_post_options');
if (isset($yuzo_related_post_options['yuzo_related_post_css_and_style']) && strpos($yuzo_related_post_options['yuzo_related_post_css_and_style'], 'script') !== false)
{
    $yuzo_related_post_options['yuzo_related_post_css_and_style'] = '</style>';
    update_option('yuzo_related_post_options', $yuzo_related_post_options);
    echo '<span	style="color:green">Hack cleaned!</span>';
}
else
{
   echo '<span  style="color:black">Hack not present</span>';
}

/*
Another useful workaround for debug:

-- Show "infected" rows
SELECT * FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';

-- Delete rows
DELETE FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';

-- Delete all data related to the plug-in
DELETE FROM wp_options  WHERE option_name LIKE '%yuzo%';

Via SSH:

grep "eval(String.fromCharCode" /yourblogroute/wp-dump.sql | fold -w 400 | grep -C 1 "eval(String.fromCharCode"
*/
	<?php
	/**
	@author Ángel Guzmán Maeso <angel@guzmanmaeso.com>
	@web https://shakaran.net/blog
	This is another similar Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin and Social Warfare Plugin but for another
	plugin with the same problem called "Related Post" or "yuzo-related-post".

	"This plugin was closed on March 30, 2019 and is no longer available for download."
	https://wordpress.org/plugins/yuzo-related-post/
	https://yuzopro.com

	This is cleaner script for security vulnerability related with "Related Post" from Yuzo or Lenin Zapata (http://ilentheme.com/).

	This version only covers "Related Post" settings infected
	Exploitation Level: Very Easy / Remote
	DREAD Score: 9.4
	Vulnerability: Arbitrary Option Update
	Patched Version: 1.3.9.1
	Instructions: Just upload this to your root worpdress base instalation folder, where the wp-load.php is present and execute the file
	via HTTP request o php CLI. It would replace the affected value for Social Warfare settings if infected

	@see https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html
	@see https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/
	@see https://twitter.com/unmaskparasites/status/1109085601763155970
	*/

	require_once 'wp-load.php';
	$yuzo_related_post_options = get_option('yuzo_related_post_options');
	if (isset($yuzo_related_post_options['yuzo_related_post_css_and_style']) && strpos($yuzo_related_post_options['yuzo_related_post_css_and_style'], 'script') !== false)
	{
	$yuzo_related_post_options['yuzo_related_post_css_and_style'] = '</style>';
	update_option('yuzo_related_post_options', $yuzo_related_post_options);
	echo '<span style="color:green">Hack cleaned!</span>';
	}
	else
	{
	echo '<span style="color:black">Hack not present</span>';
	}

	/*
	Another useful workaround for debug:

	-- Show "infected" rows
	SELECT * FROM wp_options WHERE option_value LIKE '%eval(String.fromCharCode%';

	-- Delete rows
	DELETE FROM wp_options WHERE option_value LIKE '%eval(String.fromCharCode%';

	-- Delete all data related to the plug-in
	DELETE FROM wp_options WHERE option_name LIKE '%yuzo%';

	Via SSH:

	grep "eval(String.fromCharCode" /yourblogroute/wp-dump.sql \| fold -w 400 \| grep -C 1 "eval(String.fromCharCode"
	*/