WordPress sites with the plug-in Fancybox-for-WordPress should apply a critical security update released Thursday that fixes a vulnerability already exploited by attackers.
Researchers from Web security firm Sucuri issued a warning about the vulnerability Wednesday after seeing attacks that injected a malicious iframe into websites.
Fancybox-for-WordPress has been downloaded almost 600,000 times from the official WordPress plug-in repository to date.
â€œAfter some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site,â€ the Sucuri researchers said in a blog post in which they advised users to remove the plug-in because the flaw was unpatched.
That might no longer be necessary as the plug-inâ€™s developers released two new versions in rapid succession Thursday to fix the vulnerability. Version 3.0.3 addresses the actual flaw, while version 3.0.4 renames the plug-in setting where the issue originated.
â€œThis should stop the malicious code from appearing on sites where the plugin is updated without removing the malicious code,â€ the plug-in developers said in the changelog.
Users are advised to update to the latest versionâ€”3.0.4.
WordPress sites are a favorite target for hackers, who compromise them to host malicious content and spam pages or to try and gain control of the underlying Web servers. Vulnerabilities in WordPress plug-ins and themes have been exploited before in large scale attacks that compromised thousands of websites.
Article source: http://www.pcworld.com/article/2880612/attackers-exploit-zeroday-flaw-in-popular-wordpress-plugin.html