Zero-Day on the Rich Reviews WordPress Plugin Under Exploitation

• Attackers probe WordPress sites for the Rich Reviews plugin and infect them with malvertising code.
• The plugin carries a zero-day flaw that is known to the developers, but they’re not planning to fix it.
• Instead, they will rewrite the plugin from scratch and reinstate it on the WordPress plugin repository.

According to a report by the Wordfence Threat Intelligence team, there’s a vulnerability in the Rich Reviews WordPress plugin that is currently under active exploitation. The particular zero-day flaw is based on unauthenticated plugin option updates which can be exploited to drop cross-site scripting (XSS) payloads. Rich Reviews is an open-source plugin for WordPress, created by Nuanced Media. The creator retracted the plugin on March 11, 2019, due to security issues, while the most recent update that it received dates back to two years ago. Still, though, it currently counts over 16000 users, who apparently don’t care about using safe and actively maintained WordPress plugins. That is even after multiple warnings not to use the plugin.

The websites that still use Rich Reviews are mainly plagued by malvertising code injection. This makes the experience for the visitors a mess, with popup ads and redirects happening all over the place. The attacks started in April this year, and they spiked again in August. As we said, Nuanced Media knew about this problem, but as they have made it clear that no update is on the way, the only solution is to pick an alternative plugin.

Still, Wordfence researchers gave Nuance Media enough time to fix this zero-day if they wanted to, and that is why they have published the story just now. Since the plugin has been removed from the WordPress plugin repository, even if a fix was released, users wouldn’t be able to update it automatically. The response that came from Nuance in the form of an announcement was the following:

“We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.”

This means that there will be a complete rewrite of Rich Reviews, as patching it is probably impossible at this point. Until then, look for the following indicators of compromise: IP addresses 94.229.170.38, 183.90.250.26, and 69.27.116.3, as well as the “adsnet.work” domain name. The injected code will appear in the options table of the WordPress database as “rr_options”. Deactivating the plugin should also be enough to evade detection and exploitation by malvertising actors.

Have something to comment on the above? Let us know what you think in the section down below, or on our socials, on Facebook and Twitter.