Google notified me that I'm using code from 3.0.2 but Fancybox is at 3.0.5

  • Hi, I love your plugin but Google nearly stopped my heart today with this notification:

    FancyBox for WordPress Update Available

    As of the last crawl of your website, you appear to be running FancyBox for WordPress 3.0.2 or below. One or more of the URLs found were:

    https://www.kimnovakartist.com/contact/
    https://www.kimnovakartist.com/tag/actress/
    https://www.kimnovakartist.com/tag/alfred-hitchcock/

    Google recommends that you update to the latest release. Older or unpatched software may be vulnerable to hacking or malware that can hurt your users. To download the latest release, visit the FancyBox for WordPress download page. If you have already updated to the latest version of FancyBox for WordPress, please disregard this message.”

    It’s hard to know whether their “last crawl” was a day ago or a week ago, and I’m sorry but I don’t have a record of the last time I updated the plugin, but it is currently at version 3.0.5. As you can imagine from the urls above, this is a very important client for me and I want to keep her website as safe as possible. I’ve read about the zero day vulnerability (Wordfence notified me about this on Feb 5, which is probably when I updated the plugin) and I try to keep everyone’s sites as up to date as possible anyway, but would appreciate some reassurance from you that Kim’s site is okay. Thanks from a paranoid web designer!

    Hannah

    https://www.ads-software.com/plugins/fancybox-for-wordpress/

Viewing 3 replies - 1 through 3 (of 3 total)

  • I have just had a shed load of google emails saying the same thing, but I am confused as the update from 3.0.4 to 3.0.5 is not a security update. Also why is google only alerting on this plugin and not all the others that need an update? Very strange. Anyone any ideas?

    Hi,

    The site looks safe to me right now, but it would be best to check to make sure. The message from google means the vulnerability was exploited on the site. The only code i’ve personally seen being added to sites was an iframe that was posted in some site like WPTavern on the day it was discovered.

    I haven’t heard of any installation that had it’s admin panel hacked into as a result of the vulnerability.

    Also, looking at those links now shows no malicious code that i can see, but as i mentioned, it’s never a bad idea to run a malware scan. You can look for a plugin to do this if you don’t have one of your choice already: https://www.ads-software.com/plugins/search.php?q=malware+scanner

    The Google warnings could be from a cached version of the site too, so if you run any cache plugins, make sure it has been cleared.

    Once you’re certain there are no traces left, it would be a good idea to change passwords to be on the safe side.

    As for the patching of the issue, here’s a bit of info:

    On the day of discovering the issue i was notified and an update (v3.0.3) was released to fix the vulnerability hole. With v3.0.4 another change was made to clean the iframe or any other injected code from the database and stop it from appearing on affected installations. After being in contact with them, the WP.org security team set the update to v3.0.4 on automatic for all sites that support automatic updates. I think the autoupdate was left on for the following 24h, meaning a lot of people had the plugin updated without even knowing. After the autoupdate was disabled again, I released v3.0.5 which introduced just a few other minor fixes and changes.

    For more info you can check: https://www.ads-software.com/plugins/fancybox-for-wordpress/faq/

    Sorry for the inconvinience, let me know if you have any more questions.

    I think the problem might be that the database seems to retain the old version value (e.g. 3.0.2) and Google (Webmaster Tools in fact I think) reads that?

    Check wp_options, option_name: mfbfw_active_version. Make sure that value matches the actual version.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Google notified me that I'm using code from 3.0.2 but Fancybox is at 3.0.5’ is closed to new replies.