A zero-day vulnerability has been discovered in the WordPress plugin “Fancy Box for WordPress”.
If left unpatched, a WordPress installation utilizing version 3.0.3 or earlier could allow an attacker to install malware or other malicious content on the vulnerable site.
A patched version of the “FancyBox for WordPress” plugin, ver. 3.0.4, has been released that’s reported to fix the vulnerability.
Any site utilizing “FancyBox for WordPress” should either unistall the plugin entirely or update to the patched version of the plugin immediately.
The patched version of “FancyBox for WordPress” is 3.0.4 and can be downloaded from WordPress.org.
Note: Indications are this does not affect the jQuery fancybox.js, Easy FancyBox, NextGen Gallery, or other WordPress plugins with completely different code bases. This alert is specifically for “FancyBox for WordPress” ver. 3.0.3 or earlier.
For more details on the vulnerability, please visit:
Vulnerability in FancyBox Plugin for WordPress – Update immediately (WordFence Blog)
Zero-day in the Fancybox-for-WordPress Plugin (Sucuri Blog)
NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.