After tracking exploits of a zero day XSS vulnerability in the Rich Reviews plugin for WordPress, Wordfence is recommending that users remove it from their websites. The company estimates that there are 16,000 active installations vulnerable to unauthenticated plugin option updates:
Attackers are currently abusing this exploit chain to inject malvertising code into target websites. The malvertising code creates redirects and popup ads. Our team has been tracking this attack campaign since April of this year.
Rich Reviews was removed from the WordPress.org Plugin Directory on March 11, 2019, due to a security issue.
One week ago, a Rich Reviews plugin user reported 3 out of 4 of her sites using the plugin were infected with redirect scripts and that removing the plugin fixed the issue. A digital marketing agency called Nuanced Media, the author of the plugin, responded to the post indicating that a new version would be released within two weeks:
We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.
Oddly, there seemed to be no rush to patch the issue that is currently being exploited. Yesterday, less than a week after assuring users that a new version is coming, the company behind the plugin announced that it is discontinuing active support and development on Rich Reviews.
Nuanced Media CEO Ryan Flannagan cited Google’s recent changes to its business review guidelines as the reason for discontinuing its development.
“As part of this update, in the organic search results, Google has decided to remove all merchant review star ratings that businesses display on their own URL,” Flannagan said.
“Based on this information, we have discontinued all active development and support on Rich Reviews. We apologize for any inconvenience.”
The announcement does not include any information about the vulnerability or the recent exploits. Users should assume that no patch is coming to the plugin, since it has been officially discontinued. It’s already not available to potential new users on WordPress.org, but those who have Rich Reviews active on their sites should deactivate it and remove the plugin as soon as possible to avoid getting hacked.