Zero-day vulnerability discovered in WordPress Fancybox plugin – 500k websites potentially at risk

I guess it’s not really news that there are vulnerable WordPress plugins out there, but, nevertheless, here’s another.

Popular image plugin FancyBox has issued a patch to fix a vulnerability that allowed the delivery of a malicious iframe through persistent cross-site scripting.

The plugin has over half a million downloads and was temporarily withdrawn from the WordPress plugin directory after the vulnerability was discovered.

The Russian researchers Gennady and Konstantin Kovshenin that discovered the vulnerability said that “many sites” were compromised but didn’t specify what number “many” represents.

“After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site”, the research team said.

News of this vulnerability first popped up in a WordPress forum posting yesterday.

If you have the FancyBox plugin installed, then it’s highly recommended that you apply the latest update to protect yourself from the attack.