Zero-day in the Fancybox-for-WordPress Plugin

Update: We posted an analysis of the vulnerability following this post.

Our research team was alerted to a possible malware outbreak affecting many WordPress websites. All the infections had a similar malicious iframe from “203koko” injected into the website. We were also directed to a forum thread where users were sharing their concerns and describing similar issues they were experiencing.

In analyzing the infected websites, we found that all the websites were using the fancybox-for-wordpress plugin.

Zero Day in Fancybox-for-wordpress

The fancybox-for-wordpress plugin is a popular WordPress plugin with more than 550,000 downloads. There doesn’t appear to be any public vulnerabilities being reported, which piqued our interest. To understand how it was connected, we decided to do our own code review.

After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.

What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.

We could confirm via our Website Firewall logs by seeing many exploit attempts blocked.

This is what the attacks looks like:

46.4.76.174 – – [04/Feb/2015:00:25:09 -0500] “POST /wp-admin/admin-post.php?page=fancybox-for-wordpress HTTP/1.1” 403 4207
INPUTBODY:action=update&mfbfw%5Bext.. malware payload hidden

Remove This Plugin Immediately!

The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well! If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts.

Users of our Website Firewall are already protected, but if you do not employ a similar service and leverage this plugin consider yourself highly vulnerable and high risk of compromise.

We will post more details about this vulnerability once we have given time for everyone to patch (when it becomes available).

Special thanks to Konstantin Kovshenin and Gennady Kovshenin for notifying and working with us on this issue.

18 comments
  1. Hi,

    Thanks for this. The above information was enough for me to locate one very obvious blunder in the code… I’ll respect the decision not to release detailed information at this point; but… my question is, did you find more than that one obvious blunder? I have a site that relies on this plugin, and I’d rather just place an early “return;” in the function rather than have to re-engineer the site…

    David

  2. in case your sites haven’t been affected but you’re not sure if they’re vulnerable – it’s worth doing a search of the directories within your server. The folder you’re looking for is “fancybox-for-wordpress”. Something akin to find . -type d -name “fancybox-for-wordpress” will do the trick.

  3. BTW, there is a security update and the plugin is again available in the official plugin repository. So if you use it, make sure to update it ASAP

  4. Administrators who had the vulnerable version of this plugin installed should also consider resetting their user sessions and credentials. The patch issued yesterday closes the exploit vector within the plugin, but depending on how an attacker chose to exploit the vulnerability, it could have lead to compromised user credentials or arbitrary code execution in the admin panel (this would have been a separate attack than the iframe being reported here).

  5. Hello.. I think this vulnerability isn’t very dangerous as you are saying, because stored xss exploitation on this plugin is possible when “hacker” has admin access, right? I think vulnerability affects on mfbfw[extraCallsData] parameter.. I tried to send $_POST data without admin access on admin-post.php or options.php but it has not worked

    1. No. admin-post.php and admin-ajax.php are both happy to handle non-logged-in requests, and fire the admin_init hook, which is why developers should never assume a user is logged in or has any kind of privileges on the admin_init hook.

      1. Ok.. thanks, then why is not working the exploit on most sites that I tried?

        post parameter mfbfw[extraCallsData] is vulnerable if I am logged in as admin

        1. The extraCallsData option was renamed in a recent patch to prevent infected sites from displaying malicious script content (that key was named differently in previous versions). The vulnerability you’re referring to is a separate issue from the one addressed in this article.

  6. A client website have been hacked because of this pugin it seems, and it have been updated some times ago. So don’t just update it : suppress it, and redowload it.

Comments are closed.

You May Also Like