Site administrators still using the Rich Reviews plugin for WordPress are easy targets as hackers are currently exploiting an unpatched vulnerability for malvertising campaigns.
Although the plugin was removed for security reasons from the WordPress repository more than six months ago, it is estimated that 16,000 websites still have it running.
Familiar XSS payload
The plugin is vulnerable to unauthenticated plugin option updates and attackers are leveraging it to deliver stored cross-site scripting (XSS) payloads. The JavaScript is triggered by both website visitors and authenticated administrators.
According to researchers from Defiant, there are two issues permitting the attack. One is a lack of access controls for changing the plugin's options, and the other is not sanitizing the values of the options.
The malvertising campaign delivers a nearly identical XSS payload as seen in operations of the same kind tracked since April. The company published at least three reports this year.
The purpose of the threat actor is to redirect users to dangerous destinations like tech support scams, malicious Android packages, fraudulent websites, or malware locations. Another goal seems to be displaying pop-ups that promote dubious pharmaceutical products.
A report on Tuesday informs there are three IP addresses associated with this campaign:
94.229.170.38
183.90.250.26
69.27.116.3
When de-obfuscated, the payload runs a script named 'place.js' that is hosted on the domain adsnet[.]work.
Defiant recommends website administrators that still have Rich Reviews active to find an alternative and remove the plugin from their site.
