The Fancybox plugin for WordPress has been hit by a zero-day exploit that allows hackers to inject malicious code into websites, reports ZDNet.
The plugin, which has been downloaded 600,000 times from the official WordPress plugin repository, is a tool for displaying images, HTML content and multimedia in a lightbox. Russian security researchers Gennady and Konstantin Kovshenin found that attackers could deliver malicious iframes through a persistent cross-site scripting vulnerability, according to The Register. The bug was first spotted on the WordPress forums, where writers reported unauthorized iframe being injected from unknown sites.
Researchers did not give a figure as to how many websites had been infected with this exploit, leaving the number at "many". They are also declining to reveal the full details of the exploit, until the risk is reduced to prevent copycat attacks.
Although the initial advice given was to remove the plugin, PC World notes that the plugin has since been updated to fix the issue. In fact, it was updated twice in quick succession, both times responding to the nature of the attack. Version 3.0.3 fixes the bug itself, and version 3.0.4 renames the plugin setting which led to the issue in the first place. "This should stop the malicious code from appearing on sites where the plugin is updated without removing the malicious code," the changelog explains.
The Register notes that WordPress "pulled the plugin prior to the patch, as the vulnerability allowed random scripts to be loaded into vulnerable sites." However, as Wordpress has a self-hosted version alongside the wordpress.com variety, users are advised to update their plugins as soon as possible.
Wordpress is one of the most popular blogging platforms around, and ZDNet claims that 23 percent of the top 10 million websites use it in some form.