The Rich Reviews plugin was removed from the WordPress.org directory on March 11, 2019. This was done due to a security issue.
It appears that there is still active abuse of the XSS vulnerability found in the plugin. Wordfence estimates that the plugin has around 16,000 active installations. These websites are all vulnerable. Users are therefore urgently advised to remove the plugin as quickly as possible.
Problems with the Rich Reviews plugin
Two weeks ago a user of the Rich Reviews plugin reported that 3 of the 4 websites that used the plugin were infected with redirect scripts. Removing the plugin corrected the problem, she reported. Nuanced Media, the author of the plugin, responded to her post that they were working on a new version:
We’ve been working on an overall rewrite of the plugin for a while, but apparently someone wanted us to work faster and decided to misuse our plugin to bring out malware. We are now going to speed it up and hope to have the plugin (updated and safe) online within the next two weeks.
No patch available
Strangely enough, there seemed to be no rush to patch the leak that is currently being exploited. Less than a week after users were assured that a new version was coming, Nuanced Media announced that they will immediately stop the active support and development of Rich Reviews.
Nuanced Media CEO Ryan Flannagan cited recent changes to Google’s business review guidelines as the reason: “Google has decided to remove all sellers’ reviews that companies display on their own URL from the organic search results. Based on this information, we have stopped all active developments and support from Rich Reviews. We apologize for the inconvenience.”
Nothing was said about the vulnerability or recent abuse of the leak in the Rich Reviews plugin. However, users must assume that a patch will no longer appear. Those who still use Rich Reviews can best deactivate and remove the plugin.