Almost a month ago, researchers highlighted multiple WordPress plugins that had serious vulnerabilities. Specifically, these plugins had numerous vulnerabilities which the criminal hackers exploited for malicious activities such as malvertising. Now, once again, researchers have pointed out a vulnerability in another plugin, Rich Reviews which is being actively exploited by attackers.
Unpatched Rich Reviews Plugin Vulnerability
Wordfence has once again spotted a serious malicious attack in the wild abusing WordPress plugin. This time, it is the Rich Reviews plugin that is under active exploit.
As revealed in their report, the plugin’s flaw has put around 16,000 websites at risk. These websites actively run the plugin, and are, hence, vulnerable to unauthenticated attacks.
According to the researchers, the plugin Rich Reviews has ‘two core issues’ that allow an adversary to exploit the flaw for XSS injections. As stated in their report,
The two core issues in the Rich Reviews plugin are a lack of access controls for modifying the plugin’s options, and a subsequent lack of sanitization on the values of those options.
The attackers can inject malicious codes to the vulnerable websites whilst exploiting the vulnerability. The code, in turn, facilitates the attackers to perform malvertising by creating redirects and popup ads.
Possible Mitigation
After discovering this vulnerability, the researchers waited for 7 days for the developers to fix the actively exploited flaw. However, they had to disclose the vulnerability publicly considering the removal of the plugin from the WordPress repository which makes it not possible for affected users to get an update.
The Rich Reviews plugin was removed from the WordPress repository 6 months ago. That means that, even if the developers release a fix, customers will not be able to update until the plugin is reinstated in the repository.
Moreover, as revealed in a forum post, the developers are also taking time to rewrite the plugin.
We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.
In a recent update, Nuanced Media also announced the discontinuation of the plugin. They also mentioned about the takeover by Starfish Reviews.
The only mitigation for the WordPress site owners is to remove the plugin altogether