Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability in FancyBox Plugin for WordPress – Update immediately

This entry was posted in WordPress Security on February 5, 2015 by Mark Maunder   18 Replies

A serious vulnerability has been discovered in the FancyBox plugin for WordPress. Please upgrade immediately to FancyBox 3.0.4 and monitor your site for infections. Also upgrade immediately if you see any further releases from FancyBox because the issue may need further patching.

The issue emerged yesterday on the WordPress forums, was investigated by our colleagues in infosec at Sucuri and through some excellent work by Daniel Cid and his team they identified what appears to be a zero day in the FancyBox plugin.

Update FancyBox for WordPress immediately and monitor your site and the FancyBox plugin for releases.


Did you enjoy this post? Share it!

18 Comments on "Vulnerability in FancyBox Plugin for WordPress – Update immediately"

Jonathan February 5, 2015 at 6:12 am

Just wondering if this impacts the EasyFancyBox plugin for WordPress? I don't use FancyBox but I do indeed use EasyFancyBox.....

I have not seen an update for EasyFancyBox but am wondering if I could be vulnerable - how can I check/verify the exploit doesn't exist in this plugin?

Any ideas/thoughts would be great!

mark February 5, 2015 at 6:53 am

HI Jonathan, see below. I did some analysis and it looks like the answer is no.

Jonathan February 5, 2015 at 6:55 am

Thanks Mark - appreciate the effort to compare the code and get back!

charlie February 5, 2015 at 6:24 am

What about Easy Fancy Box? https://wordpress.org/plugins/easy-fancybox/ is this at risk as well?

mark February 5, 2015 at 6:54 am

Hi Charlie. See below. The answer appears to be no.

Shea February 5, 2015 at 6:31 am

Always appreciate these notifications. Thank you!

Anybody know if this also applies to the Easy Fancybox plugin?


mark February 5, 2015 at 6:49 am

Hi. I've looked at https://wordpress.org/plugins/easy-fancybox/ and the code is very different. The only files that are the same are image files. I've also searched for the code that Fancybox for WordPress fixed and did not find it in Easy Fancybox. So I don't think this vulnerability exists in Easy Fancybox.

Leo Hartas February 5, 2015 at 6:47 am

Does this also apply to the Fancy Gallery plugin? Thanks.

mark February 5, 2015 at 6:52 am

No I don't think it does. The code for Fancy Gallery looks very different, it doesn't contain the vulnerable code from FancyBox for WP and there isn't a single source or other file that matches.

Leo Hartas February 5, 2015 at 7:32 am

Thank you Mark for checking.

Stephen February 5, 2015 at 7:36 am

What about Nextgen Gallery? Particular folder "/plugins/nextgen-gallery/products/photocrati_nextgen/modules/lightbox/static/fancybox"

mark February 5, 2015 at 7:51 am

I haven't checked, but just because it says 'fancybox' doesn't suggest a vulnerability. It looks like it was a vulnerability in this plugins code only.

Stephen February 5, 2015 at 7:56 am

I asked on the Nextgen Gallery support and was told it isn't anyways, since it is part of a library. Still leaves me with trying to figure out what triggers 504 errors. Only happens when I block certain IP addresses in Wordfence (which isn't my own IP of course, as it wouldn't allow that anyways). Whole unrelated other issue.

Link to response - https://wordpress.org/support/topic/fancybox-included-with-nextgen-affected-by-vulnerbilty?replies=2#post-6528877

Ian Carter February 5, 2015 at 7:59 am

Pardon my ignorance, but what's a zero day?

Scott Hartley February 5, 2015 at 11:49 am

A zero-day vulnerability simply means that it is an active vulnerability that is affecting all users and was probably around for a while. Think of it as a new and active exploit that is still needing to be patched.

Robert Paprocki February 5, 2015 at 9:58 am

Unfortunately it looks like the patch for this vulnerability has caused additional issues within the plugin, namely, a broken portion of the options page - https://www.cryptobells.com/fancybox-for-wordpress-zero-day-and-broken-patch/

Gennady Kovshenin February 6, 2015 at 9:26 am

Hey guys, it seems that Wordfence is being triggered by the WPTavern post about 203koko being stored in Dashboard Blogroll caches, making people panic even though they never had fancybox-for-wordpress https://wordpress.org/support/topic/possible-malware-2/page/3?replies=87#post-6532356

The exploit as seen in the wild did not store the URL in PHP, but rather in the database. Might help finetune the signature for it a bit. Hope this helps.

mark February 8, 2015 at 10:38 pm

Thanks Gennady, but this is actually a malicious URL which is why it's being flagged and if it's in the blogroll cache that means it's exposed on he dashboard? So I think it's not a false positive and anyone who wants to ignore the warning from WF should just click the ignore option.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates