Rich Reviews Plugin Flaw Has No Fix
A flaw in the Rich Reviews plugin affects about 15,000 sites and is in danger of stored cross-site scripting attacks. Sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to inject malware and attacks are already happening. Hackers are currently exploiting the flaw inject malvertising code into affected websites. The malvertising code creates redirects and pop-up ads.
Rich Reviews is a plugin that offers websites a simple way to collect user reviews and star ratings, used by search engines in the site descriptions they return in search results. Websites can let visitors review specific products, categories or the entire website.
According to Wordfence, there are two main issues in the vulnerability. One is a lack of access controls for modifying the plugin's options. The second is a lack of sanitization on the values of those options. To perform options updates, the plugin checks for the presence of the POST body parameter update. If the expected value is present, the plugin iterates through other options passed through POST and updates their values as needed. This check is made every time the plugin's RichReviews class is instantiated regardless of user permissions or the current path, this means all incoming requests are able to make these changes.
The plugin's developers are aware of the flaw but there is no fix. The developers stated that they are working on a complete rewrite of the plugin and hope to have it back up in the next two weeks. For now, users should remove the Rich Reviews plugin from their sites. The Rich Reviews plugin was removed from the WordPress repository six months ago so when the developer releases a fix, users won't be able to update it until the plugin gets reinstated in the repository.
Hackers using WordPress plugins for malvertising is not new. They're targeting vulnerable websites with outdated WordPress plugin versions to inject malicious JavaScript into the front ends to perform the redirects They have started installing persistent backdoors on compromised sites.