A critical zero-day vulnerability has been discovered in a popular WordPress plugin called FancyBox for WordPress, which is being used by hundreds of thousands of websites running on the most popular blogging platform, WordPress.
Security researchers from the network security company Sucuri issued a warning on Wednesday about the zero-day vulnerability that is being “massively exploited” by malicious hackers to infect as many victims as possible.
While there are over 70 million websites currently running the WordPress content management system on the internet, over half a million websites use the FancyBox for WordPress plugin, making it one of the most popular WordPress plugins for displaying images, HTML content, and multimedia in a floating “lightbox” on top of web pages.
The vulnerability allows attackers to inject a malicious iframe (or any random script/content) into vulnerable websites, typically redirecting victims to a malicious website.
A patch is already available!
Without wasting much time, developers released two new versions of the plugin on Thursday to fix the zero-day flaw. Version 3.0.3 addresses the actual vulnerability, while version 3.0.4, released yesterday afternoon by José Pardilla, renames the plugin’s setting where the problem originated.
According to the plugin’s changelog, the latest updates will prevent malicious code from appearing on web pages where the plugin is updated without removing the malicious code.
Users who have the FancyBox for WordPress plugin installed on their sites are advised to apply the patch immediately.
WordPress is an open-source blogging tool and content management system (CMS) with over 30,000 plugins, each offering custom functions and allowing users to tailor their websites to their specific needs. Easy to set up and use, WordPress sites are a favorite target for hackers.