shakaran · April 10, 2019 16:30
diff --git a/patch-yuzo-related-post.php b/patch-yuzo-related-post.php
 <?php
 /**
 @author Ángel Guzmán Maeso <[email protected]>
 @web https://shakaran.net/blog
 This is another similar Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin and Social Warfare Plugin but for another
 plugin with the same problem called "Related Post" or "yuzo-related-post".

 "This plugin was closed on March 30, 2019 and is no longer available for download."
 https://wordpress.org/plugins/yuzo-related-post/
 https://yuzopro.com

 This is cleaner script for security vulnerability related with "Related Post" from Yuzo or Lenin Zapata (http://ilentheme.com/).

 This version only covers "Related Post" settings infected
 Exploitation Level: Very Easy / Remote
 DREAD Score: 9.4
 Vulnerability: Arbitrary Option Update
 Patched Version: 1.3.9.1
 Instructions: Just upload this to your root worpdress base instalation folder, where the wp-load.php is present and execute the file
 via HTTP request o php CLI. It would replace the affected value for Social Warfare settings if infected

 @see https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html
 @see https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/
 @see https://twitter.com/unmaskparasites/status/1109085601763155970
 */

 require_once 'wp-load.php';
 $yuzo_related_post_options = get_option('yuzo_related_post_options');
 if (isset($yuzo_related_post_options['yuzo_related_post_css_and_style']) && strpos($yuzo_related_post_options['yuzo_related_post_css_and_style'], 'script') !== false)
 {
    $yuzo_related_post_options['yuzo_related_post_css_and_style'] = '</style>';
    update_option('yuzo_related_post_options', $yuzo_related_post_options);
    echo '<span	style="color:green">Hack cleaned!</span>';
 }
 else
 {
   echo '<span  style="color:black">Hack not present</span>';
 }

 /*
 Another useful workaround for debug:

 -- Show "infected" rows
 SELECT * FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';

 -- Delete rows
 DELETE FROM wp_options  WHERE option_value LIKE '%eval(String.fromCharCode%';

 -- Delete all data related to the plug-in
 DELETE FROM wp_options  WHERE option_name LIKE '%yuzo%';

 Via SSH:

 grep "eval(String.fromCharCode" /yourblogroute/wp-dump.sql | fold -w 400 | grep -C 1 "eval(String.fromCharCode"
 */
	<?php
	/**
	@author Ángel Guzmán Maeso <[email protected]>
	@web https://shakaran.net/blog
	This is another similar Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin and Social Warfare Plugin but for another
	plugin with the same problem called "Related Post" or "yuzo-related-post".

	"This plugin was closed on March 30, 2019 and is no longer available for download."
	https://wordpress.org/plugins/yuzo-related-post/
	https://yuzopro.com

	This is cleaner script for security vulnerability related with "Related Post" from Yuzo or Lenin Zapata (http://ilentheme.com/).

	This version only covers "Related Post" settings infected
	Exploitation Level: Very Easy / Remote
	DREAD Score: 9.4
	Vulnerability: Arbitrary Option Update
	Patched Version: 1.3.9.1
	Instructions: Just upload this to your root worpdress base instalation folder, where the wp-load.php is present and execute the file
	via HTTP request o php CLI. It would replace the affected value for Social Warfare settings if infected

	@see https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html
	@see https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/
	@see https://twitter.com/unmaskparasites/status/1109085601763155970
	*/

	require_once 'wp-load.php';
	$yuzo_related_post_options = get_option('yuzo_related_post_options');
	if (isset($yuzo_related_post_options['yuzo_related_post_css_and_style']) && strpos($yuzo_related_post_options['yuzo_related_post_css_and_style'], 'script') !== false)
	{
	$yuzo_related_post_options['yuzo_related_post_css_and_style'] = '</style>';
	update_option('yuzo_related_post_options', $yuzo_related_post_options);
	echo '<span style="color:green">Hack cleaned!</span>';
	}
	else
	{
	echo '<span style="color:black">Hack not present</span>';
	}

	/*
	Another useful workaround for debug:

	-- Show "infected" rows
	SELECT * FROM wp_options WHERE option_value LIKE '%eval(String.fromCharCode%';

	-- Delete rows
	DELETE FROM wp_options WHERE option_value LIKE '%eval(String.fromCharCode%';

	-- Delete all data related to the plug-in
	DELETE FROM wp_options WHERE option_name LIKE '%yuzo%';

	Via SSH:

	grep "eval(String.fromCharCode" /yourblogroute/wp-dump.sql \| fold -w 400 \| grep -C 1 "eval(String.fromCharCode"
	*/