Zero-day in the Fancybox-for-WordPress Plugin

 

Zero-day in the Fancybox-for-WordPress Plugin

http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+sucuri%2Fblog+%28Sucuri+Blog%29The fancybox-for-wordpress plugin is a popular WordPress plugin with more than 550,000 downloads. There doesn’t appear to be any public vulnerabilities being reported, which piqued our interest. To understand how it was connected, we decided to do our own code / vulnerability review.

After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.

What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites. Read more…