Developers have patched a zero day vulnerability in FancyBox, a plug-in for WordPress, which allowed malware to be added via an iFrame to infected sites.
Despite not having been updated in over two years, Jose Pardilla, the author of FancyBox, insisted early Thursday that he had fixed the flaw with version 3.0.3 of the plugin, pushed today.
“My blog has been hacked because of this plugin. There is a security issue. It’s allow to inject some JS code in your pages,” wrote one WordPress.org member on Wednesday.
According to researchers at the firm Sucuri, the vulnerability allows any random script or content to be added to sites that use older versions of the plugin. Each infection had a malicious iFrame from a website called “203koko” injected into it, wrote Daniel Cid, Sucuri’s CTO/Founder. Before it had been patched, Cid added that the vulnerability had led to many compromised sites.
Zero Day in @WordPress Plugin #FancyBox Patched Following ExploitsTweet
Pardilla claims he intends to push another patch live today, 3.0.4, that renames ExtraCalls, the parameter affected by the vulnerability, to ensure “the malicious code is not causing trouble for users that update the plugin without removing the actual malicious code.”
“The Extra Calls feature is an advanced setting disabled by default that most sites won’t need to use, but those that did use it will have to check this setting and reconfigure it,” Pardilla said.
Two independent Russian researchers, Konstantin Kovshenin and Gennady Kovshenin, helped identify the vulnerability and pieced together information that affected users offered up on WordPress’ forums. As the plugin hadn’t been updated for two years and a patch hasn’t surfaced yet, both Kovshenins advised disabling the plugin to prevent further trouble.
— Gennady Kovshenin (@soulseekah) February 4, 2015
The researchers pointed out that the 203koko site had been blocked by Google for containing malware and that the ExtraCalls setting on affected WordPress sites was being modified under certain circumstances.
After comparing server logs and forwarding them along to Sucuri, Cid and company were able to get hold of the malware’s payloads to confirm the 0-day.
Having been downloaded by more than half a million users, FancyBox is fairly popular. The plugin calls itself a “fancy jQuery lightbox alternative,” and helps developers add HTML, images, and multimedia to lightboxes.