Daniel Cid, Sucuri's CTO, said that exploiting the vulnerability is simple, and that Sucuri saw many exploitation attempts in its logs.
Daniel Cid, Sucuri's CTO, said that exploiting the vulnerability is simple, and that Sucuri saw many exploitation attempts in its logs.

The developers of FancyBox – a popular WordPress plugin primarily used for displaying images, which has more than 600,000 downloads as of Thursday – have issued an update to address a zero-day vulnerability observed by researchers with Sucuri.

The security company noticed the issue after being alerted by two researchers – Konstantin Kovshenin and Gennady Kovshenin – of a possible malware outbreak impacting numerous WordPress websites, all of which had a malicious IFrame injected into the site, according to a Wednesday post.

“The plugin was not doing the proper access control and allowing remote [and] non-admin users to inject arbitrary HTML code into the plugin settings,” Daniel Cid, CTO of Sucuri, told SCMagazine.com in a Thursday email correspondence.

Cid went on to explain that instead of displaying the configured FancyBox output live on the site, it would display code injected by the attacker, be it a malicious IFrame or spam links. Attackers could also deface the website, he added.

“A large number of sites using FancyBox started to display malware that was loading an IFrame from 203koko[dot]eu,” Cid said. “That caused many of them to be blacklisted by Google and other security companies.”

Cid said that exploiting the vulnerability is simple and that, in its logs, Sucuri saw many attempts to exploit the bug.

In the post, Sucuri advised FancyBox users to remove the plugin immediately; however, Cid said the developers appear to have patched the problem on Thursday, so updating to the latest version should address the issue.