14 DAY TRIAL // The FancyBox component for WordPress received a security update on Thursday that fixes a critical vulnerability currently exploited in the wild by cybercriminals.
The WordPress component is designed to improve the user experience on a website by enabling the display of multimedia content in a “fancy box” that pops on top of the regular site content.
It is highly customizable and popular among site administrators, the current download count showing that it has been grabbed more than 600,000 times.
Researchers from security firm Sucuri noticed an increased number of infections due to a malicious iframe being injected into WordPress websites. The common denominator for all affected sites was FancyBox, which was exploited through a vulnerability unknown at that time.
“After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information,” a blog post from Daniel Cid informed on Wednesday.
Their recommendation was to remove the plug-in in order to mitigate the risk, until the developers addressed the issue.
Currently, the latest version for FancyBox for WordPress is 3.0.4 and it contains a fix for the bug observed by Sucuri. According to the changelog of the product, two updates have been rolled out, one that dealt with a security issue and another that renamed the setting affected by the vulnerability.
The measure was taken to deactivate the malicious code on infected websites. By changing the name of the setting, the malware piece would no longer be capable of abuse since the code would sport the old nomenclature.
