The Rich Reviews plugin was removed from the WordPress repository more than six months ago. The plugin is vulnerable to unauthenticated plugin option updates and attackers are leveraging it to deliver stored cross-site scripting (XSS) payloads. Malvertising campaign delivers a nearly identical XSS payload as seen in operations of the same kind tracked since April. Developers are aware of the vulnerability and are working to fix it. Over 85% of the installations are for the vulnerable version 1.7, while the latest, secure release reached 9.1%.
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-unpatched-bug-in-rich-reviews-wordpress-plugin/