Our research team was alerted to a possible malware outbreak affecting many WordPress websites. All the infections had a similar malicious iframe from “203koko” injected into the website. We were also directed to a forum thread where users were sharing their concerns and describing similar issues they were experiencing.
In analyzing the infected websites, we found that all the websites were using the fancybox-for-wordpress plugin.Zero day in fancybox-for-wordpress
The fancybox-for-wordpress plugin is a popular WordPress plugin with more than 550,000 downloads. There doesn’t appear to be any public vulnerabilities being reported, which piqued our interest. To understand how it was connected, we decided to do our own code / vulnerability review.
After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information.
What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.
We could confirm via our Website Firewall logs by seeing many exploit attempts blocked.
This is what the attacks looks like:
Edited by hamluis, 05 February 2015 - 09:28 PM.
Moved from Web Site Development to Gen Security - Hamluis.