Last month in our security series, we featured news about the Wordfence Threat Intelligence team report tracking a series of attacks against an unpatched vulnerability in the Rich Reviews plugin for WordPress. Read the post here Rich Reviews WordPress plugin allows hackers to inject malvertising code to over 16,000 sites
An estimated 16,000 sites running the plugin were vulnerable to unauthenticated plugin option updates, which can be used to deliver stored cross-site scripting (XSS) payloads.
These security issues have now been fixed the updated version 1.8 with a complete re-write of the options interface (where the worst vulnerabilities existed). The plugin from Nuanced Media is now under a new owner Starfish Reviews who have graciously patched the vulnerabilities and will henceforth be maintaining the plugin.
The Rich Reviews plugin was originally released in January 2013. It was conceived by Nuanced Media but developed by the seemingly now defunct Foxy Technology. They actively developed and maintained the plugin over the years, including adding new features. At some point Foxy stopped being involved in development of the plugin.
The original plugin used poor WordPress development practices by today’s standards. Keep in mind that it was created in 2013 when WordPress and development standards were very different than today. It opted to create its own options screen from scratch, rather than use the Options API, which includes many security features.
Plus the developers created other interfaces that might have used WordPress native methods. For example a Custom Post Type might have been used for the reviews. Instead, a custom interface was built that looks and works similarly to the normal post/CPT management interface. That all meant that security had to be considered in all this, since many of WordPress’ built-in measures were not utilized. Read more history here
In 2017, the Plugin Vulnerabilities scanner flagged the plugin as potentially unsafe. When their team reviewed the plugin, they found several vulnerabilities in Rich Reviews. They reached out to Nuanced Media in responsible disclosure, identifying and explaining the issue a month before publishing their findings.
What Rich Reviews plugin is all about
Rich Reviews empowers you to easily capture user ratings, reviews, and testimonials for your business, website, or individual products/pages and display them on your WordPress page or post.
With Google My Business emphasizing the importance of testimonials, reviews are becoming integral for the success of any business, product, or service online.
Rich Reviews Features
- Three types of reviews: per-page or per-post, category, or global reviews allow you to customize to your needs. Whether you want users to review products, categories, or your entire website, Rich Reviews gives you the control.
- Moderated submissions allows you to choose which reviews are added to your site.
- Built completely around shortcodes, so you can include any of the three key features on any page, post, sidebar, footer, or widget on your site.
- Simple design allows compatibility across themes.
- Includes external stylesheet for ease of customization.
- Shows aggregate reviews microformat (hReview-aggregate) Schema so that site ratings can be displayed in Google results with rich snippets.
- Minimalist, lightweight, and efficient code means that your site won’t be slowed down, and your users won’t have any trouble leaving a review.
Before you leave: Please subscribe to our website for the latest tips, ideas and recommendations to make your WordPress site wonderful.