It is estimated that there are 16,000 active installations of vulnerable Rich Reviews Plugin which was removed from the WordPress.org Plugin Directory on March 11, 2019, due to a security issue.
Threat Intelligence team at Wordfence first informed that there is a Zero day vulnerability in the Rich Reviews WordPress plugin that is, at the moment, under exploitation. The reason behind zero-day vulnerability is the illegal plugin option updates, and this can be further easily exploited to deliver XSS (cross-site scripting) payloads.
Rich Reviews is one of the open-source plugins of a popular content management system (CMS) based on PHP and MySQL. The makers of Rich Reviews, Nuanced Media, took back the plugin for WordPress in March, while the latest update was received two years ago.It is one of those WordPress vulnerable plugins which have been recently exploited in the wild. Other zero day vulnerabilities were found in these plugins too – Zero-day Vulnerability in WordPress Yellow Pencil Plugin , Plugin Vulnerability In Social Warfare , Vulnerability in WordPress Easy WP SMTP Plugin, Convert Plus WordPress Plugin Vulnerability & WordPress Privilege Escalation Vulnerability in Contact Form 7 & WP GDPR
The company decided on retraction due to security reasons. Nevertheless, at the moment, it has more than 15,000 users across the globe. Even after repeated warnings not to use the plugin, these users, seemingly, are least bothered about opting for safe and actively maintained WordPress plugins.
Announcement – Users should assume that no patch is coming to the plugin, since it has been officially discontinued. It’s already not available to potential new users on WordPress.org, but those who have Rich Reviews active on their sites should deactivate it and remove the plugin as soon as possible and scan website here to avoid getting hacked and infected with malware.
Even if Rich Reviews’ developers were to create a fixed version of the previously dormant plugin, it would not be available to vulnerable websites until the plugin was reinstated to the WordPress plugin repository.
If you have already been affected with this exploit in rich reviews plugin, Scan your wordpress site below and get in touch with us to know more.
Table of Contents [TOC]
If you are one of those who use shortcodes frequently, then this plugin can come in handy. Besides, Rich reviews plugin will also let you copy the shortcode in the post or page. Each shortcode is available with an expanded version, where the user is allowed to include a set number of both ratings and reviews. The authors enjoy the privilege of adding their reviews and display them along with the reviews given by the users. There are three different types of shortcodes offered by the plugin. –
On copying all the short codes, you can even show the reviews by specific users, add forms with the help of which the visitors can have the provision of leaving the comments, and display the overall rating.
The main target is the websites which are currently using Rich Reviews; they are plagued by malvertising code injection. Owing to this, visitors have to face popup ads and malware redirects in wordpress. The users started to face this particular issue back in the month of April 2019, and it significantly surged in the month of August.
As we have already discussed that Nuanced Media was acquainted with this issue, but as they have made clear that the users should not expect any update and the only solution, they should opt for is to have an alternative plugin installed.
Still, the intelligence team of Wordfence offered ample time for Nuanced Media to look for a permanent solution for this issue. Since, the plugin was already removed from the archive of WordPress plugin, even though a solution was found, the users would not be able to update it automatically. Following was the response that came from Nuanced Media –
“We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.”
Mr. Ryan Flannagan (Chief Executive Officer of Nuanced Media) said that they are abandoning active support and development on the plugin. He further added that in the light of this update, Google would get rid of merchant review star ratings, in the organic search results, which is usually displayed by the businesses on their URL.
Mainly, there are two main issues in Rich Reviews plugin i.e. there is a lack of access controls for making changes in the plugin options and a dearth of sanitization on the values of those options.
To carry out option updates, the plugin thoroughly inspects for any POST body parameter update. In the event the anticipated value is there, the plugin emphasizes via other options that have passed through POST and also update the values as per the requirement.
Alas, this check is always done when the plugin’s RichReviews class is instantiated despite the user permission or the existing path. Now, this means that every incoming request is competent enough to carry out these alterations.
There are various endangered option values which are accountable for making changes to the displayed text via a plugin. When there is improper sanitization of these values, the hackers get the opportunity to add JavaScript payloads which can be activated both by the administrators (the ones who are logged in) and the visitors.
Investigating one of the infected websites closely, a suspicious log activity, related to the Rich Reviews plugin, was found.
1 183.90.250.26 - [redacted] "POST /wp-admin/admin-post.php?page=fp_admin_options_page HTTP/1.0" 200 - "-" "-"
There is one interesting thing about this log entry is that the admin-post.php page string of the plugin is included. Such type of request is commonly found in a scenario where is_admin check is not used how it ideally should be used to test the permission of the user.
The payloads used by the hackers are related with a malvertising campaign pretty much the same as we have discussed earlier –
The XSS payload is pretty much the same as those we have already discussed. The sourced third-party script place.js is same to the ones we have witnessed in this malvertising campaign as well, which may result in the activation of the popup ads and undesired redirects.
The company has also released indicators of compromise where possible so that other security vendors are able to add detection feature to their products and offer the best protection measures for their customers. Let us discuss some of IOCs we have come across related to this attack campaign –
IP Addresses
Here are some of the IP addresses related to malevolent activity against this vulnerability –
Domain Names
adsnet.work – It tends to host malicious scripts sourced by XSS injections.
Database Content –
Added content, by the hacker, will be there in the options table of WordPress database having a name – rr_options.
If you have also come across Zero-Day Vulnerability in Rich Reviews Plugin and have no idea of how to go about it, you don’t need to be worried sick, leave it to our experts at WP hacked Help. Get in touch with us today along with your details.