Hackers infecting WordPress sites via defunct “Rich Reviews” plug-in

If you’re a WordPress admin using a plug-in called Rich Reviews, you’ll want to uninstall it. Now. The now-defunct plug-in has a major vulnerability that allows malvertisers to infect sites running WordPress and redirect visitors to other sites.

Rich Reviews was a WordPress plugin that lets sites manage reviews internally in WordPress, and also displays Google reviews for a business underneath a search result. Marketing company

Updating an old blog post earlier this month, Nuanced Media, the plug-in developer, reaffirmed that it had discontinued the plugin. It blamed a change in Google’s schema guidelines that stopped merchants displaying review star ratings on their own URLs.

The company’s last update to the Rich Reviews GitHub repository was over three years ago. The plugin finally disappeared from the WordPress site in March this year, by which time it had accumulated 106,000 downloads in total.

The problem is that at least some of those downloaders (16,000, by some estimates) are still using it, and have been stung by a nasty vulnerability. The security bug allows attackers to inject malvertising code into victims’ WordPress pages, littering them with pop-up ads or redirecting them to other sites.