Critical zero-day vulnerability in WordPress plugin FancyBox



The security researchers at network security firm Sucuri issued a warning Wednesday about the zero-day vulnerability that is being “actively exploited in the wild” by malicious hackers in order to infect as many as victims.

half a million websites vulnerable.

While there are more than 70 million websites on the Internet currently running WordPress content management system, over half a million websites use ‘FancyBox for WordPress’ Plugin, making it one of the popular plugins of WordPress for displaying images, HTML content and multimedia in a so-called “lightbox” that floats on top of Web pages.

Hackers inject a malicious iframe.

The vulnerability allows attackers to inject a malicious iframe (or any random script/content) into the vulnerable websites that generally redirects victims to a ‘203koko’ website.

Patch 3.0.4 released.

Without wasting much of time, the developers released two new versions of the plugin on Thursday to fix the zero-day flaw. Version 3.0.3 addresses the actual flaw, while version 3.0.4, released late yesterday by José Pardilla, renames the plugin setting where the issue originated.

According to the plugin changelog, the latest updates will stop malicious code from appearing on the websites where the plugin is updated without removing the malicious code. Users who have the FancyBox for WordPress Plugin installed on their sites are advised to immediately apply the patch.


  • Renamed the setting affected by the security issue mentioned in 3.0.3. This should stop the malicious code from appearing on sites where the plugin is updated without removing the malicious code.


  • Fixed a security issue. (Thanks to mickaelb for reporting and Konstantin Kovshenin for providing the fix)

WordPress is a free, open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their websites to their specific needs. It is easy to setup and use and that’s why tens of millions of websites across the world opt it, and therefore, WordPress sites are a favorite target for hackers.