The issue in the Rich Reviews plugin is being actively exploited.
An unpatched vulnerability in the Rich Reviews plugin for WordPress is putting an estimated 16,000 sites in danger of stored cross-site scripting (XSS) attacks.
Sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver malware payloads; and according to Wordfence, attacks are already happening in the wild.
“Attackers are currently abusing this exploit chain to inject malvertising code into target websites,” researchers explained in a Tuesday posting on the attack. “The malvertising code creates redirects and pop-up ads.”
Full Article.