Exploiting Vulnerabilities in WordPress plugins, a cybercrime trend

A serious vulnerability in the FancyBox WordPress plugin makes it easy for a hacker to compromise any website based on the popular CMS.

Last week SecurityWeek reported about another a zero-day flaw found in a WordPress plugin.

This time, a new vulnerability found in the popular FancyBox for WordPress plugin could be exploited to inject malicious iframes into many websites through a Cross Site Scripting (XSS) attack.

The security firm Sucuri investigated the flaw with the support of the experts Konstantin and Gennady Kovshenin, the latter one also provided the fix for the vulnerability. This enabled Joe Pardillo, the developer of the Fancybox plugin, to release a version without the flaw.

The FancyBox vulnerability is not the only WordPress plugin-flaw reported last year. Just 2 months ago Sucuri reported a exploit of a flaw in the Slider Revolution plugin and, half a year earlier, a Mailpoet plugin vulnerability was attacked.

The Mailpoet flaw allowed attackers to compromise more thank 50.000 WordPress sites and the Slider Revolution flaw even doubled this. But don’t underestimate the Mailpoet flaw, exploiting it threat actors could also compromise non-WordPress websites, increasing cybercrime exploits.

WordPress is used by millions of people to create websites and blogs via free customizable designs and themes, these applications exactly like the overall CMS are regularly updated.

The presence of a vulnerability in a WordPress plugin and the availability in the wild of the related exploit could affects thousands, maybe millions of websites.

The security community is, fortunately, not quiet: they have developed a website with a detailed list of found WordPress vulnerabilities, including the plugins.

Not a bad move, because it shows the security community does not do security by obscurity, but shows it investigates flaws and reports them on the internet.

This way security professionals are inspired to investigate and fixWordPress plugin flaws, reducing cybercrime risks and improving the quality of the WordPress websites.

About the author

Cordny Nederkoorn

Software test engineer, Founder TestingSaaS, a social network about software testing cloud applications

(Security Affairs –  Wordpress , plugin)