Starfish Reviews has adopted the Rich Reviews plugin and released version 1.8 with security fixes. This article will cover the timeline of events as to how that all unfolded and the current state of Rich Reviews. It is not intended as a comprehensive security explanation. The articles linked to cover that in detail. Highlights:
- Security Vulnerabilities were originally discovered and disclosed in 2017. Some minor ones were resolved at the time. A Major vulnerability remained.
- Remaining major vulnerabilities were actively exploited to infect WordPress websites with malware, Sept 2019.
- Starfish Reviews adopted the plugin 2 weeks ago.
- Today Rich Reviews 1.8 was released! It is fully patched, partially re-written, and secured. Security is the #1 focus of this release.
- All sites with Rich Reviews installed should update to version 1.8 or above.
Conception & Early Days
The Rich Reviews plugin was originally released in January 2013. It was conceived by Nuanced Media but developed by the seemingly now defunct Foxy Technology. They actively developed and maintained the plugin over the years, including adding new features. At some point Foxy stopped being involved in development of the plugin.
The original plugin used poor WordPress development practices by today’s standards. Keep in mind that it was created in 2013 when WordPress and development standards were very different than today. It opted to create its own options screen from scratch, rather than use the Options API, which includes many security features.
Plus the developers created other interfaces that might have used WordPress native methods. For example a Custom Post Type might have been used for the reviews. Instead, a custom interface was built that looks and works similarly to the normal post/CPT management interface. That all meant that security had to be considered in all this, since many of WordPress’ built-in measures were not utilized.
One feature they added later was a full Shopper Approved (a review management platform) integration. This allowed people to directly integrate their Shopper Approved account with their WordPress website.
Vulnerabilities Discovered
In 2017, the Plugin Vulnerabilities scanner flagged the plugin as potentially unsafe. When their team reviewed the plugin, they found several vulnerabilities in Rich Reviews. They reached out to Nuanced Media in responsible disclosure, identifying and explaining the issue a month before publishing their findings.
Nuanced Media responded by removing the Shopper Approved integration in their next update to the plugin. It was that addition that contained a couple of the identified security flaws. However, the most grievous and likely to be exploited, XSS (cross site scripting) vulnerability remained unresolved.
Part of the reason for this was likely that in-order to fully and properly secure the plugin, it would require completely rewriting the options interface to use the WordPress Options API. That was not a simple fix. They couldn’t just modify a few pieces of code to use best-practices and be done with it.
Plugin Closed on WordPress.org
In March of 2019, the WordPress.org Plugin team closed the plugin due to its unresolved security issues. As I understand it, Nuanced Media had decided not to continue development of the plugin at this time. It was a business decision: the plugin no longer aligned with their core mission and goals.
Unfortunately, this move left any site still actively running Rich Reviews open to attack by exploiting the remaining XSS security flaw.
Actively Exploited for Malware
In Sept 2019, the WordFence team identified sites that had been infected with malware by exploiting the XSS vulnerability in Rich Reviews. They published their findings including both the security issues in the plugin and the attack campaign being used to exploit it. They recommended removing the plugin entirely, since it had been closed.
Discovery by Starfish
A number of security-focused media outlets picked up the story. Danny Bradburry at Naked Security by Sophos wrote a detailed article about the entire situation. I read this article shortly after it was published, and that’s when Starfish Reviews entered the picture. Based on headlines I’d seen previously, I assumed this plugin was from a company with a similar name. I thought it was too bad they’d abandoned the plugin but didn’t think much more of it.
While reading the Sophos post, I kept thinking, “maybe we could help with this situation by adopting the Rich Reviews plugin?” Then toward the end of the post, I read this sentence:
The company is looking for developers who are interested in taking over the plug-in’s development…
I immediately messaged Matt and asked what he though? After some discussion and investigation, we decided to pursue adoption. I scheduled an appointment to talk with Ryan Flannagan, CEO of Nuanced Media for the following day.
Addoption by Starfish
On Fri., Sept 27th I had a video chat with Ryan. He was very gracious and great to talk to. He made it clear that his company had previously shifted its core focus. As such, Rich Reviews was just not a priority for them any longer. He expressed strong desire to do right by the community and regretted that anything negative had come from their plugin.
Ryan also made it clear they just didn’t have the bandwidth to spend on something that didn’t align well with their new focus and mission. So he was glad to hand it off to us, where it aligned so well with Starfish’s goals and mission. During the video chat, he made me a committer for Rich Reviews on the WordPress.org repo.
Securing Rich Reviews
Matt got to work right away. He re-wrote the entire options interface using the WordPress API. This resolved the main XSS vulnerability. He also implemented a number of other security enhancements.
We went through a few rounds of testing and fixing. Then used the WordFence plugin to scan the plugin. It checked out clean! So Matt pushed the updated plugin to WordPress.org SVN and emailed the Plugins team about reviewing and reopening.
It turned out we had missed the fact there was already a version 1.7 (we thought 1.6.5 was the last public release) and so our updated code got merged with the existing version on SVN. When the plugins team reviewed, it appeared all the old vulnerabilities still existed.
Matt updated to 1.8 and asked them to review again. They suggested a few more best-practices be implemented in this latest version. He did that and they approved re-opening Rich Reviews on the WordPress.org plugin repo. That made version 1.8 public and available for automatic update in WordPress dashboards that were running the plugin! That happened just a few hours ago, today the 7th of Oct 2019. For your site’s security, update now if you are running Rich Reviews! And remember to updated WordPress core, all themes, and plugins on a regular basis.
Schema aka Rich Snippets
Google recently announced that they’d no longer be display “self serving” reviews rich snippets (aka schema) in their search results. At this point our understanding is that if you capture reviews of your own business, product, or service on your own website, then include the ratings results in your site’s micro data (another name for “rich snippets” and “schema”), Google won’t display those ratings in their search results.
This is one of the main benefits of Rich Reviews and may be a key factor in its popularity. Google says that self-serving ratings in your schema will not hurt your search ranking in any way, they just won’t show that part in the search results. So at this point, we won’t be changing the way the plugin functions on this front. Other search engines and tools may still use that schema meta data, and it’s not hurting websites that continue to use it.
The Future of Rich Reviews
At Starfish Reviews, our goal is to make review marketing and online reputation management tools available inexpensively, to everyone, through WordPress. So Rich Reviews fits nicely with that goal. It’s a freely available plugin that anyone can use to capture and display testimonials and reviews on their website. It fits well with our other plugins: Starfish Reviews, Plugin Reviews, and Satisfaction Reports from Help Scout.
We plan to maintain and potentially improve Rich Reviews for the foreseeable future. Before we were aware of it’s existence (only a few weeks ago) we were hard at work adding similar functionality to Starfish Reviews, and will be getting right back to that later this week. So we’re not entirely sure how these plugins will co-exist in our lineup, just yet.
Just rest assured that we will be keeping Rich Reviews secure and updated to run with the latest versions of WordPress and PHP. We want people who’ve been using it, and new users alike, to be able to use the Rich Reviews plugin with confidence and peace of mind. In fact, we’ve already run it through SonarCloud’s analyzer and further shored up the security of Rich Reviews (see screenshot above).
If you were a Rich Reviews user previously, we welcome you to the Starfish Reviews family. Please don’t hesitate to contact us if you have any questions, comments, or issues with Rich Reviews.
Hi, Can you advise how to remove the hacked code from the rr_options table also please.
I have updated one version of rich reviews on a site and it seems to have removed this entry from the wp_options table.
but another site has been updated and it still exists.
Is the rr_options no longer used at all? can it be removed from the table?
Thanks for sorting this plugin.
Hi Simon. Yes you can safely remove the rr_options entry from the wp_options table in the database. Version 1.8.1 is supposed to delete that as part of the update process. That was what was causing issues for some people. So if it’s not being deleted, you can manually delete and should be good to go.
Tevya – Great Article! Demonstrates your competence and commitment to advancing your business objectives. Excellent Customer Support is key to your success, and always will be! – Bob
hi
excellent plugin
but the notification of a new review via email does not work
how can i fix this ?
Hi Simon, glad you like Rich Reviews. This is a known issue with the plugin. We have a fix, but are testing it and working out a few other bugs. It should be released very soon, fixing this issue.