Hackers are infecting WordPress sites via a defunct plug-in

If you’re a WordPress admin using a plug-in called Rich Reviews, you’ll want to uninstall it. Now. The now-defunct plug-in has a major vulnerability that allows malvertisers to infect sites running WordPress and redirect visitors to other sites.

Rich Reviews is a WordPress plugin that lets sites manage reviews internally in WordPress, and also displays Google display reviews for a business underneath a search result. Marketing company Nuanced Media released it in conjunction with plug-in developer Foxy Technology in January 2013.

The honeymoon didn’t last long, though. Updating an old blog post earlier this month, Nuanced Media reaffirmed that it had discontinued the plugin. It blamed a change in Google’s schema guidelines that stopped merchants displaying review star ratings on their own URLs.

The company’s last update to the Rich Reviews GitHub repository was over three years ago. The plugin finally disappeared from the WordPress site in March this year. It had accumulated 106,000 downloads in total.

The problem is that at least some of those downloaders (16,000, by some estimates) are still using it, and have been stung by a nasty vulnerability. The security bug allows attackers to inject malvertising code into victims’ WordPress pages, littering them with pop-up ads or redirecting them to other sites.

Wordfence, which sells a WordPress firewall, disclosed the bug on Tuesday.

The attackers rely on two shortcomings in the plugin. The first is a lack of access controls for POST requests that modify the plug-in’s options, meaning that attackers can make those requests without authorisation.

The second bug is an input validation flaw. Some of those modification requests can change the text displayed on the site, but the plug-in doesn’t validate the content of the request.

These two flaws combined mean that attackers can inject JavaScript code directly onto the website page.

Attackers are already exploiting this bug in the wild, according to Wordfence. It is being used as part of a long-running malvertising campaign that the company has reported on before, in which the attackers redirect visitors to pharmaceutical sites or directly attack their browsers.

Some WordPress users confirmed that they are already suffering from exploits based on this vulnerability.

Posting in a WordPress support forum, WordPress user @the9mm warned that the plugin had allowed malware to infect three of her four sites, redirecting visitors to malware and porn sites. She added:

Deactivating and removing the plugin fixed this.

Nuanced Media replied immediately in the same forum, explaining that it was working on a fix that would be available within the next two weeks:

We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.

However, Wordfence wasn’t impressed. People can’t update the plugin unless Nuanced Media reintroduces it onto the WordPress site, it said. It also criticised Nuanced Media’s “vague timeline” for a fix, which is why it decided to disclose the issue immediately so that people could ditch it.

One thing is clear: Nuanced Media knew that there was a security issue with this plug-in back in March. The plug-in page cites the reason for the removal as a security issue, although it’s not clear what that issue was.

Nuanced Media CEO Ryan Flannagan told us that it was WordPress that removed the plug-in back in March, adding:

The removal of Rich Reviews from the WordPress plugin repository removed it from our priorities, as well.

He said that the company won’t be supporting Rich Reviews in the long term, concluding:

It’s distressing to know that something we created is being used as a vector of attack: hurting businesses, frustrating website administrators, and benefiting the worst sort of scummy spammers. However, due to the recent Google Schema update and the scope of the project Nuanced Media will not be supporting the continued development of Rich Reviews.

The company is looking for developers who are interested in taking over the plug-in’s development, he added.

This raises an interesting question for the WordPress community. If a company publishes a plug-in and thousands of people use it, should it have a duty to fix known security bugs as early as possible, even if the plug-in is taken down?

Automattic, whose founder started the open source WordPress project, didn’t respond to our questions. However, Mikey Veenstra, the threat analyst at Wordfence who posted about the bug, did:

Fortunately, in most cases we see responsive developers who take security seriously and are prompt to address any issues. There are always exceptions like these, though.

The biggest goal for the community is to focus on educating developers about best practices, he concluded.

Update 2019-10-11

Since writing this article, Plugin Vulnerabilities got in touch to inform us that it discovered this bug and informed Nuanced Media about it in 2017, which Flannagan confirmed. Nuanced Media has now handed over Rich Reviews to reviews plugin company Starfish Reviews, which fixed the insecure code and re-released the plugin through WordPress.org on Monday 7 October. Any Rich Reviews users should update their plugins to the new version.