Last week SecurityWeek reported about another a zero-day flaw found in a WordPress plugin.
This time, a new vulnerability found in the popular FancyBox for WordPress plugin could be exploited to inject malicious iframes into many websites through a Cross Site Scripting (XSS) attack.
The security firm Sucuri investigated the flaw with the support of the experts Konstantin and Gennady Kovshenin, the latter one also provided the fix for the vulnerability. This enabled Joe Pardillo, the developer of the Fancybox plugin, to release a version without the flaw.
The FancyBox vulnerability is not the only WordPress plugin-flaw reported last year. Just 2 months ago Sucuri reported a exploit of a flaw in the Slider Revolution plugin and, half a year earlier, a Mailpoet plugin vulnerability was attacked.
The Mailpoet flaw allowed attackers to compromise more thank 50.000 WordPress sites and the Slider Revolution flaw even doubled this. But don’t underestimate the Mailpoet flaw, exploiting it threat actors could also compromise non-WordPress websites, increasing cybercrime exploits.
WordPress is used by millions of people to create websites and blogs via free customizable designs and themes, these applications exactly like the overall CMS are regularly updated.
The presence of a vulnerability in a WordPress plugin and the availability in the wild of the related exploit could affects thousands, maybe millions of websites.
The security community is, fortunately, not quiet: they have developed a website with a detailed list of found WordPress vulnerabilities, including the plugins.
Not a bad move, because it shows the security community does not do security by obscurity, but shows it investigates flaws and reports them on the internet.
This way security professionals are inspired to investigate and fixWordPress plugin flaws, reducing cybercrime risks and improving the quality of the WordPress websites.
About the author
Software test engineer, Founder TestingSaaS, a social network about software testing cloud applications
(Security Affairs – Wordpress , plugin)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.