A vulnerability has been found in the popular WordPress plugin FancyBox. With more than 600,000 downloads from the WordPress plugin directory, the vulnerability in FancyBox has potential to impact a large amount of WordPress sites if left unaddressed.
Rooted out by Sucuri (the same security company that identified Heartbleed
and, more recently, SoakSoak
), the vulnerability in FancyBox could allow for malicious code injections.
Writing for Sucuri, Daniel Cid said his team ran a code / vulnerability review to dive into the issue and see how serious it may be.
“After some analysis,” Cid said, “we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site.”
Sucuri analyzed the logs from their code review, and posted an example of what attacks through the FancyBox vulnerability look like:
184.108.40.206 – – [04/Feb/2015:00:25:09 -0500] “POST /wp-admin/admin-post.php?page=fancybox-for-wordpress HTTP/1.1″ 403 4207
INPUTBODY:action=update&mfbfw%5Bext.. malware payload hidden
The issue was first posted as a zero-day vulnerability on Wednesday, February 4, 2015; since that time, the FancyBox team has released two successive updates to the plugin that should address the vulnerability in the code.
If you use the FancyBox plugin, it is recommended that you either remove or update it immediately to mitigate any potential attacks from this vulnerability.
As always, if you have any questions about updating this plugin to the most secure version on your WordPress site, don’t hesitate to contact a member of our support team.
There have been reports
of WordPress sites being blacklisted by Google due to the vulnerability in the FancyBox plugin. Again, it is recommended you update this plugin immediately.
Works Cited / For Further Reading:
Zero-day in the FancyBox-for-WordPress plugin. (Sucuri
FancyBox-for-WordPress plugin. (FancyBox