“Tag! You’re it!” Said the cyber-attack to the Rich Reviews WordPress plugin. It’s an open source software created by Nuanced Media used for managing reviews. If you’re not keeping away from it, your website could be under serious threat of a malicious attack.
Who’s at risk, and what kind of a threat does it pose?
Wordfence users are safe from this massive redirect campaign, but any other user would have to face redirects to ads, malware, porn- you name it- and that's just the tip of the iceberg. Sites with the plugin installed are susceptible to unauthenticated option updates, which are used to transfer stored, cross-site scripting (XSS) payloads. Attackers have been injecting their malvertising code into target websites.
Since the plugin has been removed from the WordPress repository, any update released by a developer will not be accessible. The issue in the vulnerability is absence of access controls required to modify the plugin’s options. The payloads that have been injected by the attackers have been identified to be eerily similar to the recent malvertising campaign that had posed a serious threat to millions of WordPress users using several plug-ins. This threat was creating rogue admin accounts and had been taking over websites.
What’s the future of the plugin?
This is distressing news if you’re a user of Rich Reviews. On Nuanced Media’s blog that they have announced that they’ve got no plans to patch up this vulnerability and have discontinued the product ie. they’re no longer providing development for the plugin and that they won’t be releasing any more updates. However, Starfish Media has taken over the active development of the plugin. It isn't clear when we could use the plug-in any time soon.
What’s the solution?
All that said and done, there are several, excellent alternatives for Rich Reviews that you can use. Reviews, after all, are a major driving factor in purchasing decisions. As for the current plugin, you, you already know the answer. Deactivate and/or delete.