18 Comments

  1. Gabriel Cooper

    Thank you Sarah! I have the odd feeling this might be affecting themes with fancybox built in as well.

    By the way, I think Google is going to flag the email version of this article… and maybe the article itself… for containing that code. Gmail gave me a nastygram about it.

    Report

  2. Ryan Hellyer

    In case there is any confusion here, this appears to be a flaw in the FancyBox for WordPress plugin, not in FancyBox itself. which is just a jQuery plugin.

    Report

    • RavanH

      In case there is any confusion here, this appears to be a flaw in the FancyBox for WordPress plugin, not in FancyBox itself. which is just a jQuery plugin.

      That seems to be a widespread misunderstanding as I’m getting some questions about security of my plugin (Easy FancyBox) because of this… Hope it is clear this particular vulnerability does not necessarily concern other FancyBox plugins.

      Report

  3. Mark

    Thanks for letting everyone know about this, we have been busily checking all our sites to see if any use it, but it would be nice if the WordPress plugin repository gave an indication of why it was pulled (for anyone stumbling upon it), and even sites using it, send a notice to the plugin menu like an upgrade notification.

    Report

  4. MaxM

    The author has already pushed out a newer version 3.0.3. In the changelog it reflects the needed fixes. “3.0.3 Fixed a security issue. (Thanks to mickaelb for reporting and Konstantin Kovshenin for providing the fix).

    Report

  5. José Pardilla

    The plugin was updated a few hours ago with v3.0.3, fixing for the vulnerability.

    Apologies to everyone for the inconveniences caused.

    Report

  6. Tomas M.

    I had 4 sites with this plugin… is there any way to check if the site was already exploited?

    Interesting, but my logs show that Fancybox update was pushed from WP.org (that means it was installed automatically without my interaction). I didn’t know about this WP feature, or is it some kind of “last resort” feature that only gets used once in a while?

    Report

  7. nicola

    If you are using a caching plugin you may have cached pages with the iframe injected.

    Report

  8. José Pardilla

    You can clear cache to be sure as nicola mentioned and check the source code of your site inside your head tag. The malicious code was injected near the line that reads ““, and it looked like the code mentioned at the beginning of this article.

    The auto update was set on automatic mode by the WP.org security team to help mitigate the effects of the vulnerability. The version that WP.org is auto-updating to fixes the issue and changes the name of the setting where the malicious code was stored, so if your site got infected, the update should clear it.

    Report

    • yolabingo

      “The auto update was set on automatic mode by the WP.org security team”
      I am very curious to know what exactly was done, and how. It looks like very site that had this plugin had all its themes and plugins auto updated? I know how this can be enabled per-site, but how exactly did these updated get pushed?
      http://codex.wordpress.org/Configuring_Automatic_Background_Updates#Plugin_.26_Theme_Updates_via_Filter

      Report

      • José Pardilla

        I’m not entirely sure how it works but to my understanding Auto Updates for plugins and themes are a (disabled by default) built-in feature on WordPress installations. The Security team can override this and force an update for a particular plugin if they decide it’s worth doing so, such as in this case, or when the Jetpack vulnerability was found last year.

        The link you posted describes how to enable these auto-updates on your own WordPress installation if desired, although normally this shouldn’t be necessary, since manually updating them gives you a better chance at testing and checking the update doesn’t break them, or at least find out it that happens.

        Report

  9. Neal Merchant (@nealtronics)

    There are some other plugins on WordPress.com that use FancyBox such as “Easy FancyBox” and “FancyBox” I know that @RyanHellyer said that this affects the plugin “Fancybox for WordPress” so if I don’t have this particular plugin installed should I still be concerned? Thanks in advance.

    Report

  10. Robert

    Administrators who had the vulnerable version of this plugin installed should also consider resetting their user sessions and credentials. The patch issued yesterday closes the exploit vector within the plugin, but depending on how an attacker chose to exploit the vulnerability, it could have lead to compromised user credentials or arbitrary code execution in the admin panel (this would have been a separate attack than the iframe being reported here).

    Report

  11. soulseekah

    Also note to those of you who are using Wordfence, they’re currently scanning files for the 203koko URL and reporting it as a threat. However caching plugins like WTC will cache blogrolls and Dashboard news feeds. This article was features in the news feed and contains the 203koko URL in the body. This content is being cached to flatfiles which are scanned by Wordfence. Such cases are false positives.

    Report

  12. Jason

    I had the same warning via wordfence, but was not using fancybox! seems your live link in this post gave wordfence a false positive as the link was showing up in wordpress news section might be an idea to remove actual link? Thanks to Gennady Kovshein for clearing this up for my particular case! Hope this helps others before they go ahead & delete server files to re install like I just have :(

    Report

    • soulseekah

      I think it’s Wordfence’s fault for an incorrect detection signature. WPTavern has all the freedom it wants to post any links on especially as text (unclickable).

      Report

Comments are closed.

%d bloggers like this: