A critical zero-day vulnerability has been discovered in a popular WordPress plugin, called ‘FancyBox for WordPress’, which is being used by hundreds of thousands of websites running on the most popular Blogging Platform WordPress.
Zero day in fancybox-for-wordpress
The fancybox-for-wordpress plugin is a popular WordPress plugin with more than 550,000 downloads. There doesn’t appear to be any public vulnerabilities being reported, which piqued our interest. To understand how it was connected, we decided to do our own code / vulnerability review.
After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.
What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.
This is what the attacks looks like:
18.104.22.168 – – [04/Feb/2015:00:25:09 -0500] “POST /wp-admin/admin-post.php?page=fancybox-for-wordpress HTTP/1.1″ 403 4207
INPUTBODY:action=update&mfbfw%5Bext.. malware payload hidden
Remove this plugin Immediately!
The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well! If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts.
Users of our Website Firewall are already protected, but if you do not employ a similar service and leverage this plugin consider yourself highly vulnerable and high risk of compromise.
We will post more details about this vulnerability once we have given time for everyone to patch (when it becomes available).
Without wasting much of time, the developers released two new versions of the plugin on Thursday to fix the zero-day flaw. Version 3.0.3 addresses the actual flaw, while version 3.0.4, released late yesterday by José Pardilla, renames the plugin setting where the issue originated.
According to the plugin changelog, the latest updates will stop malicious code from appearing on the websites where the plugin is updated without removing the malicious code. Users who have the FancyBox for WordPress Plugin installed on their sites are advised to immediately apply the patch.
WordPress is a free, open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their websites to their specific needs. It is easy to setup and use and that’s why tens of millions of websites across the world opt it, and therefore, WordPress sites are a favorite target for hackers.