A critical zero-day vulnerability has been discovered in a popular WordPress plugin, called 'FancyBox for WordPress', which is being used by hundreds of thousands of websites running on the most popular Blogging Platform Wordpress.
0-DAY FLAW EXPLOITED IN THE WILD
The security researchers at network security firm Sucuri issued a warning Wednesday about the zero-day vulnerability that is being "actively exploited in the wild" by malicious hackers in order to infect as many as victims.
While there are more than 70 million websites on the Internet currently running WordPress content management system, over half a million websites use 'FancyBox for WordPress' Plugin, making it one of the popular plugins of Wordpress for displaying images, HTML content and multimedia in a so-called "lightbox" that floats on top of Web pages..
HACKERS INJECT MALWARE INTO WEBSITES
The vulnerability allows attackers to inject a malicious iframe (or any random script/content) into the vulnerable websites that generally redirects victims to a '203koko' website.
"All the infections had a similar malicious iframe from '203koko' injected into the website," Daniel Cid, founder and chief technology officer of Sucuri who discovered the vulnerability, wrote in an advisory. "In analysing the infected websites, we found that all the websites were using the FancyBox for WordPress plugin."
FancyBox for WordPress Plugin has since been temporarily removed from the WordPress Plugins Directory, and the researchers advised users/wordpress developers/wordpress programmers to remove the plug-in as it hasn't been updated for two years and poses a security threat to users.
PATCH RELEASED
Without wasting much of time, the developers released two new versions of the plugin on Thursday to fix the zero-day flaw. Version 3.0.3 addresses the actual flaw, while version 3.0.4, released late yesterday by José Pardilla, renames the plugin setting where the issue originated.
According to the plugin changelog, the latest updates will stop malicious code from appearing on the websites where the plugin is updated without removing the malicious code. Users who have the FancyBox for WordPress Plugin installed on their sites are advised to immediately apply the patch.
WordPress is a free, open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their websites to their specific needs. It is easy to setup and use and that’s why tens of millions of websites across the world opt it, and therefore, WordPress sites are a favorite target for hackers.