Rich Reviews Plugin Discontinued after Vulnerabilities Exploited in the Wild

After tracking exploits of a zero day XSS vulnerability in the Rich Reviews plugin for WordPress, Wordfence is recommending that users remove it from their websites. The company estimates that there are 16,000 active installations vulnerable to unauthenticated plugin option updates:

Attackers are currently abusing this exploit chain to inject malvertising code into target websites. The malvertising code creates redirects and popup ads. Our team has been tracking this attack campaign since April of this year.

Rich Reviews was removed from the WordPress.org Plugin Directory on March 11, 2019, due to a security issue.

One week ago, a Rich Reviews plugin user reported 3 out of 4 of her sites using the plugin were infected with redirect scripts and that removing the plugin fixed the issue. A digital marketing agency called Nuanced Media, the author of the plugin, responded to the post indicating that a new version would be released within two weeks:

We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.

Oddly, there seemed to be no rush to patch the issue that is currently being exploited. Yesterday, less than a week after assuring users that a new version is coming, the company behind the plugin announced that it is discontinuing active support and development on Rich Reviews.

Nuanced Media CEO Ryan Flannagan cited Google’s recent changes to its business review guidelines as the reason for discontinuing its development.

“As part of this update, in the organic search results, Google has decided to remove all merchant review star ratings that businesses display on their own URL,” Flannagan said.

“Based on this information, we have discontinued all active development and support on Rich Reviews. We apologize for any inconvenience.”

The announcement does not include any information about the vulnerability or the recent exploits. Users should assume that no patch is coming to the plugin, since it has been officially discontinued. It’s already not available to potential new users on WordPress.org, but those who have Rich Reviews active on their sites should deactivate it and remove the plugin as soon as possible to avoid getting hacked.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

5 Comments


  1. We are not sure why it isn’t mentioned in your story since we contacted the WordPress Tavern about this situation a week ago, but it is important to note that the plugin has been publicly known to be vulnerable in this way since December of 2017 and the developer knew about it for a month and half before that. So there was plenty of time for the developer to have resolved this by now and there was also plenty of time for the WordPress team to better handle the situation instead of leaving websites to be hacked.

    One option available is for the team to release a fixed version, as is mentioned by the security page for WordPress:

    When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.

    It wouldn’t even require much work on their part, as we have repeatedly offered to provide fixes for vulnerabilities like the one in this plugin, which are likely to be exploited, but they haven’t taken us up on that.

    It would be great if you would cover that element of the story, since there are plenty of things that could be done to reduce the number of websites being hacked if that team was finally willing to work with others to address the problems with their process.

    Report


  2. I’d like to know if there are any safe, free, alternatives available. I’m looking for something I could use for my gaming reviews. Thanks for any suggestions!

    Report


  3. I’m also looking for alternatives and good suggestions for review plugins. I have lost my starts on rich results and now I’m not getting them back even after I have set them up manually on my templates. My codes are even correct on the Rich Schema Structured Test Tool.
    Google has updated it big this time.

    Report


  4. My team and I at Starfish Reviews have adopted the Rich Reviews plugin and issued a security release to fix these vulnerabilities.

    Unlike the one from Magic Box, you don’t have to pay to secure your site. Just update to 1.8+ through the normal, automatic update process and your site will no longer be vulnerable to this exploit.

    Report

Comments are closed.