It has been a busy couple of weeks for our team and it seems that a big number of clean-ups we’ve performed were a result of a critical zero-day vulnerability. This vulnerability has been discovered in a popular WordPress plugin, called ‘FancyBox for WordPress‘. This plugin is very popular in the WP community with over 600,000 downloads.

FANCYBOX FOR WORDPRESS

By default, the plugin will use jQuery to apply FancyBox to any thumbnails that link directly to an image. This includes posts, the sidebar, etc, so you can activate it and it will be applied automatically.
But during the first days of February Zero-day vulnerability was detected and it was found that it is being “actively exploited in the wild” by malicious hackers in order to infect as many as victim.

Interestingly, when such news is published even more sites get infected through the same vulnerability, almost as if hackers got one more idea on what to exploit.

HOW HACKERS INJECT MALWARE INTO WEBSITES

Once the news broke out, FancyBox for WordPress Plugin has been temporarily removed from the WordPress Plugins Directory, and the researchers advised users/wordpress developers/wordpress programmers to remove the plug-in as it hasn’t been updated for two years and poses a security threat to users.

This of course does not solve the situation for sites that already have the plug in installed and are using the same. All these sites are still threatened and hackers still might use it to their advantage.
Seems that all the infected sites had a similar malicious iframe from ‘203koko’ injected into the website.

Interestingly, when such news is published even more sites get infected through the same vulnerability, almost as if hackers got one more idea on what to exploit.

PATCH RELEASED

Of course the plug in has not stayed suspended as new version with patches for the vulnerability has been deployed.

According to the plugin’s change log, the latest updates will stop malicious code from appearing on the websites where the plugin is updated without removing the malicious code. Users who have the FancyBox for WordPress Plugin installed on their sites are advised to immediately apply the patch.

In case you site has been affected and the given patch has not helped, feel free to turn to us. Our goal is to make the internet a safer place.