Stories
Slash Boxes
Comments

SoylentNews is people

WordPress Sites Hacked through Defunct Rich Reviews Plugin

posted by janrinok on Thursday October 03 2019, @11:55PM   Printer-friendly
from the stay-current dept.

Fnord666 writes:

WordPress Sites Hacked Through Defunct Rich Reviews Plugin

An estimated 16,000 websites are believed to be running a vulnerable and no-longer-maintained WordPress plugin that can be exploited to display pop-up ads and redirect visitors to webpages containing porn, scams, and–worst of all–malware designed to infect users' computers.

Researchers at WordFence went public about how hackers are exploiting a zero-day vulnerability in a third-party WordPress plugin called Rich Reviews to inject malvertising code into vulnerable WordPress sites.

The threat is not theoretical.

Website owners have posted publicly about how they have been hit by scripting malware, and they are pointing the finger of blame at the Rich Reviews plugin.

Normally the advice would be for website administrators to update the plugin, thereby patching the security hole and preventing hackers from being able to compromise their websites. But in this instance, there is no update, and there may never be... because the developers of Rich Reviews stopped maintaining their software long ago.

And in March 2019, after a total of 106,000 downloads, the plugin was removed from the official WordPress plugin library, reducing the chances of more websites installing it. The reason given for its removal? "Security issue."

Source: tripwire.com

Original Submission

 
This discussion has been archived. No new comments can be posted.
WordPress Sites Hacked through Defunct Rich Reviews Plugin | Log In/Create an Account | Top | 5 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by SomeGuy on Friday October 04 2019, @12:57AM (1 child)

    by SomeGuy (5632) on Friday October 04 2019, @12:57AM (#902495)

    I miss the days when there was real tech news. Sure things broke and went boom all the time, but there were constantly new products and innovations, and when a product died, something else would fill the void, and perhaps even do better.

    These days its just everything getting "hacked", technology falling apart, the only new products are dumbed down garbage designed for complete idiots and crap designed to rape everyone's privacy.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Friday October 04 2019, @05:49PM

    by Anonymous Coward on Friday October 04 2019, @05:49PM (#902712)

    I was thinking about it in an interesting era of emerging CMSes. At first, their plug-ins worked as local pieces of code fired by CMS main engine or even in user's browser as JS. Then, they began to rely on external services more and more and that's when I decided to make my hobby website static again. WordPress plugins tend to "phone home" stealing user's data. The same thing goes with most "so open" CMSs, and that's the way to pay for it or make other users pay. Just trust some shady company which may disappear any moment and anyone can hijack their domain, what can go wrong?
    An interesting fact: In my old machine, I have a firewall (used in fact as process monitor/separator) which I used to block its own update server as it liked to delete itself when it found that there is a file with new version, but domain got borked and the "updated version" was a domain parking file :).
    So next time, if some devs move a feature to an extension, this is modern, official way to strip the program of this feature completely as the extension will not be maintained. See Firefox and its deleted ability to be controlled with a single mouse button.