After tracking exploits of a zero day XSS vulnerability in the Rich Reviews plugin for WordPress, Wordfence is recommending that users remove it from their websites. The company estimates that there are 16,000 active installations vulnerable to unauthenticated plugin option updates:
Attackers are currently abusing this exploit chain to inject malvertising code into target websites. The malvertising code creates redirects and popup ads. Our team has been tracking this attack campaign since April of this year.
Rich Reviews was removed from the WordPress.org Plugin Directory on March 11, 2019, due to a security issue.
One week ago, a Rich Reviews plugin user reported 3 out of 4 of her sites using the plugin were infected with redirect scripts and that removing the plugin fixed the issue. A digital marketing agency called Nuanced Media, the author of the plugin, responded to the post indicating that a new version would be released within two weeks:
We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.
Oddly, there seemed to be no rush to patch the issue that is currently being exploited. Yesterday, less than a week after assuring users that a new version is coming, the company behind the plugin announced that it is discontinuing active support and development on Rich Reviews.
Nuanced Media CEO Ryan Flannagan cited Google’s recent changes to its business review guidelines as the reason for discontinuing its development.
“As part of this update, in the organic search results, Google has decided to remove all merchant review star ratings that businesses display on their own URL,” Flannagan said.
“Based on this information, we have discontinued all active development and support on Rich Reviews. We apologize for any inconvenience.”
The announcement does not include any information about the vulnerability or the recent exploits. Users should assume that no patch is coming to the plugin, since it has been officially discontinued. It’s already not available to potential new users on WordPress.org, but those who have Rich Reviews active on their sites should deactivate it and remove the plugin as soon as possible to avoid getting hacked.
We are not sure why it isn’t mentioned in your story since we contacted the WordPress Tavern about this situation a week ago, but it is important to note that the plugin has been publicly known to be vulnerable in this way since December of 2017 and the developer knew about it for a month and half before that. So there was plenty of time for the developer to have resolved this by now and there was also plenty of time for the WordPress team to better handle the situation instead of leaving websites to be hacked.
One option available is for the team to release a fixed version, as is mentioned by the security page for WordPress:
When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.
It wouldn’t even require much work on their part, as we have repeatedly offered to provide fixes for vulnerabilities like the one in this plugin, which are likely to be exploited, but they haven’t taken us up on that.
It would be great if you would cover that element of the story, since there are plenty of things that could be done to reduce the number of websites being hacked if that team was finally willing to work with others to address the problems with their process.