Comments on: Zero-day in the Fancybox-for-WordPress Plugin

A client website have been hacked because of this pugin it seems, and it have been updated some times ago. So don't just update it : suppress it, and redowload it.

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4597

In reply to terrorist. The extraCallsData option was renamed in a recent patch to pre...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4596

In reply to kovshenin. Ok.. thanks, then why is not working the exploit on most sites...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4595

In reply to terrorist. No. admin-post.php and admin-ajax.php are both happy to handle...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4594

Hello.. I think this vulnerability isn't very dangerous as you are saying, because stored xss exploitation on this plugin is possible when "hacker" has admin access, right? I think vulnerability ...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4593

It is still there! https://wordpress.org/plugins/fancybox-for-wordpress/screenshots/

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-6130

Administrators who had the vulnerable version of this plugin installed should also consider resetting their user sessions and credentials. The patch issued yesterday closes the exploit vector wit...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4592

BTW, there is a security update and the plugin is again available in the official plugin repository. So if you use it, make sure to update it ASAP

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4591

in case your sites haven't been affected but you're not sure if they're vulnerable - it's worth doing a search of the directories within your server. The folder you're looking for is "fancybox-fo...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-4590

FYI: It's been patched with version 3.0.3 https://wordpress.org/support/topic/is-plugin-safe-to-use-again And according to their changelog for 3.0.4: Renamed the setting affected by the security ...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-6129

In reply to David Anderson. David, a patch was released and the latest version is ava...

https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html#comment-6128