An unpatched vulnerability in the Rich Reviews plugin for WordPress is putting an estimated 16,000 sites in danger of stored cross-site scripting (XSS) attacks.

Sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver malware payloads; and according to Wordfence, attacks are already happening in the wild.

“Attackers are currently abusing this exploit chain to inject malvertising code into target websites,” researchers explained in a Tuesday posting on the attack. “The malvertising code creates redirects and pop-up ads.”

For background, Rich Reviews is a plugin that offers websites a simple way to collect user reviews and star ratings, to be used by search engines in the site descriptions they return in search results. Websites can let visitors review specific products, categories or the entire website.

The Bug

There are two core issues at the heart of the vulnerability: One is a lack of access controls for modifying the plugin’s options, and the second is a subsequent lack of sanitization on the values of those options, according to Wordfence.

To perform options updates, the plugin checks for the presence of the POST body parameter update; if the expected value is present, the plugin iterates through other options passed through POST and updates their values as needed.

“Unfortunately, this check is made every time the plugin’s RichReviews class is instantiated regardless of user permissions or the current path,” explained the researchers. “This means all incoming requests are capable of performing these changes.”

Further, a number of the vulnerable option values are responsible for customizing text displayed by the plugin: “Improper sanitization of these values allows attackers to inject JavaScript payloads which can be triggered by visitors as well as logged-in administrators,” the firm explained.

The payloads injected by these attackers are directly associated with a known, ongoing malvertising campaign, according to Wordfence.

“This XSS payload is nearly identical to those we’ve identified in this campaign before. The sourced third-party script place.js is similar to others we’ve seen in this malvertising campaign as well, which could trigger popup ads and unwanted redirects,” they explained.

No Patch

It’s not a zero-day; the plugin’s developers are aware of the vulnerability, researchers said – however, so far there’s no fix.

The plugin’s developers have released a statement: “We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.”

To protect themselves, users should remove the Rich Reviews plugin from their sites for now.

“The Rich Reviews plugin was removed from the WordPress repository six months ago,” Wordfence researchers said. “That means that, even if the developers release a fix, customers will not be able to update until the plugin is reinstated in the repository.”

Crooks using WordPress plugins for malvertising is not a new situation. For instance, one campaign that has been ongoing since the beginning of the summer redirects website visitors to malware and fraud sites, using known vulnerabilities in WordPress plugins as the attack vector. They’re targeting vulnerable websites with outdated WordPress plugin versions to inject malicious JavaScript into the front ends to perform the redirects, and add exploits to the repertoire on an ongoing basis, effectively widening the scope of the campaign. Also, they have begun installing persistent backdoors on compromised sites.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.