An unpatched vulnerability in the Rich Reviews plugin for WordPress is putting an estimated 16,000 sites in danger of stored cross-site scripting (XSS) attacks.
Sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver malware payloads; and according to Wordfence, attacks are already happening in the wild.
“Attackers are currently abusing this exploit chain to inject malvertising code into target websites,” researchers explained in a Tuesday posting on the attack. “The malvertising code creates redirects and pop-up ads.”
For background, Rich Reviews is a plugin that offers websites a simple way to collect user reviews and star ratings, to be used by search engines in the site descriptions they return in search results. Websites can let visitors review specific products, categories or the entire website.
There are two core issues at the heart of the vulnerability: One is a lack of access controls for modifying the plugin’s options, and the second is a subsequent lack of sanitization on the values of those options, according to Wordfence.
To perform options updates, the plugin checks for the presence of the POST body parameter update; if the expected value is present, the plugin iterates through other options passed through POST and updates their values as needed.
“Unfortunately, this check is made every time the plugin’s RichReviews class is instantiated regardless of user permissions or the current path,” explained the researchers. “This means all incoming requests are capable of performing these changes.”
The payloads injected by these attackers are directly associated with a known, ongoing malvertising campaign, according to Wordfence.
“This XSS payload is nearly identical to those we’ve identified in this campaign before. The sourced third-party script place.js is similar to others we’ve seen in this malvertising campaign as well, which could trigger popup ads and unwanted redirects,” they explained.
It’s not a zero-day; the plugin’s developers are aware of the vulnerability, researchers said – however, so far there’s no fix.
The plugin’s developers have released a statement: “We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.”
To protect themselves, users should remove the Rich Reviews plugin from their sites for now.
“The Rich Reviews plugin was removed from the WordPress repository six months ago,” Wordfence researchers said. “That means that, even if the developers release a fix, customers will not be able to update until the plugin is reinstated in the repository.”
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.