A serious vulnerability in the FancyBox WordPress plugin makes it easy for a hacker to compromise any website based on the popular CMS.
Last week SecurityWeek reported about another a zero-day flaw found in a WordPress plugin.
This time, a new vulnerability found in the popular FancyBox for WordPress plugin could be exploited to inject malicious iframes into many websites through a Cross Site Scripting (XSS) attack.
The security firm Sucuri investigated the flaw with the support of the experts Konstantin and Gennady Kovshenin, the latter one also provided the fix for the vulnerability. This enabled Joe Pardillo, the developer of the Fancybox plugin, to release a version without the flaw.
The FancyBox vulnerability is not the only WordPress plugin-flaw reported last year. Just 2 months ago Sucuri reported a exploit of a flaw in the Slider Revolution plugin and, half a year earlier, a Mailpoet plugin vulnerability was attacked.
The Mailpoet flaw allowed attackers to compromise more thank 50.000 WordPress sites and the Slider Revolution flaw even doubled this. But don’t underestimate the Mailpoet flaw, exploiting it threat actors could also compromise non-WordPress websites, increasing cybercrime exploits.
WordPress is used by millions of people to create websites and blogs via free customizable designs and themes, these applications exactly like the overall CMS are regularly updated.
The presence of a vulnerability in a WordPress plugin and the availability in the wild of the related exploit could affects thousands, maybe millions of websites.
The security community is, fortunately, not quiet: they have developed a website with a detailed list of found WordPress vulnerabilities, including the plugins.
Not a bad move, because it shows the security community does not do security by obscurity, but shows it investigates flaws and reports them on the internet.
This way security professionals are inspired to investigate and fixWordPress plugin flaws, reducing cybercrime risks and improving the quality of the WordPress websites.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.