Attackers exploit zero-day flaw in popular WordPress plug-in

WordPress sites with the plug-in Fancybox-for-WordPress should apply a critical security update released Thursday that fixes a vulnerability already exploited by attackers.

Researchers from Web security firm Sucuri issued a warning about the vulnerability Wednesday after seeing attacks that injected a malicious iframe into websites.

They tracked down the problem to a flaw in Fancybox-for-WordPress, which allows webmasters to easily integrate the Fancybox JavaScript library into their WordPress sites. FancyBox is a tool for displaying images, HTML content and multimedia in a so-called “lightbox” that floats on top of Web pages.

Fancybox-for-WordPress has been downloaded almost 600,000 times from the official WordPress plug-in repository to date.

“After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site,” the Sucuri researchers said in a blog post in which they advised users to remove the plug-in because the flaw was unpatched.

That might no longer be necessary as the plug-in’s developers released two new versions in rapid succession Thursday to fix the vulnerability. Version 3.0.3 addresses the actual flaw, while version 3.0.4 renames the plug-in setting where the issue originated.

“This should stop the malicious code from appearing on sites where the plugin is updated without removing the malicious code,” the plug-in developers said in the changelog.

Users are advised to update to the latest version — 3.0.4.

WordPress sites are a favorite target for hackers, who compromise them to host malicious content and spam pages or to try and gain control of the underlying Web servers. Vulnerabilities in WordPress plug-ins and themes have been exploited before in large scale attacks that compromised thousands of websites.