An unpatched vulnerability in the Rich Reviews plugin for WordPress is putting an estimated 16,000 sites in danger of stored cross-site scripting (XSS) attacks.
Sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver malware payloads; and according to Wordfence, attacks are already happening in the wild.