Last week SecurityWeek reported about another a zero-day flaw found in a WordPress plugin.
This time, a new vulnerability found in the popular FancyBox for WordPress plugin could be exploited to inject malicious iframes into many websites through a Cross Site Scripting (XSS) attack.
The security firm Sucuri investigated the flaw with the support of the experts Konstantin and Gennady Kovshenin, the latter one also provided the fix for the vulnerability. This enabled Joe Pardillo, the developer of the Fancybox plugin, to release a version without the flaw.
The FancyBox vulnerability is not the only WordPress plugin-flaw reported last year. Just 2 months ago Sucuri reported a exploit of a flaw in the Slider Revolution plugin and, half a year earlier, a Mailpoet plugin vulnerability was attacked.
The Mailpoet flaw allowed attackers to compromise more thank 50.000 WordPress sites and the Slider Revolution flaw even doubled this. But don’t underestimate the Mailpoet flaw, exploiting it threat actors could also compromise non-WordPress websites, increasing cybercrime exploits.
WordPress is used by millions of people to create websites and blogs via free customizable designs and themes, these applications exactly like the overall CMS are regularly updated.
The presence of a vulnerability in a WordPress plugin and the availability in the wild of the related exploit could affects thousands, maybe millions of websites.
The security community is, fortunately, not quiet: they have developed a website with a detailed list of found WordPress vulnerabilities, including the plugins.
Not a bad move, because it shows the security community does not do security by obscurity, but shows it investigates flaws and reports them on the internet.
This way security professionals are inspired to investigate and fixWordPress plugin flaws, reducing cybercrime risks and improving the quality of the WordPress websites.
About the author
Software test engineer, Founder TestingSaaS, a social network about software testing cloud applications
(Security Affairs – Wordpress , plugin)
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
Japan's CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads…
This website uses cookies.