Jose Pardilla

Forum Replies Created

Viewing 15 replies - 1 through 15 (of 120 total)

  • Sorry to hear it doesn’t work for you. The plugin has never stopped working on my sites though, either live ones or local test sites.

    Unless you need a responsive lightbox, there’s currently nothing wrong with the plugin, technically. If you do there are of course many newer alternatives. Fancybox 1.x is an aging lightbox implementation, replaced some time ago by a completely rewritten Fancybox 2, under a different license (reason why I didn’t update my plugin to it).

    Fancybox for WP, like many other jQuery dependent plugins will break on sites where jQuery is being poorly re-registered, missing jquery-migrate (which WordPress takes care of by default), or in cases where something else (either theme or plugin) breaks jQuery.

    Please check this page and make sure the plugin is updated and its settings have been reset after updating.

    For issues regarding last year’s vulnerability, please check the plugin’s FAQ: https://www.ads-software.com/plugins/fancybox-for-wordpress/faq/

    Hi benbook,

    While I don’t understand French, I think you’re refering to a vulnerability found in February 2015. This was patch as soon as it was found, you can find more about the issue here.

    Hi,

    The vulnerability you mention was found in February, and it was in fact patched, however WordPress installations that run the vulnerable version (version 3.0.2 or lower) could have malicious code like an iframe stored in the plugin’s settings. If you site was using the plugin back then you should check that it is clean, or reset the plugin’s setting to be sure.

    You can find more info about the vulnerability here: https://www.ads-software.com/plugins/fancybox-for-wordpress/faq/

    Hi,

    Please note there was a vulnerability in an older version of the plugin, patched patched as soon as it was found in February. This vulnerability could be used to modify the plugin’s settings and add malicious code like iframes, or flash embeds. The issue was fixed but malicious code added during that time frame could remain in your website.

    There’s shouldn’t be any iframes in that part of the plugin’s code, so it would be advisable that you make sure the plugin is updated and then reset the plugin’s settings from it’s admin page to make sure there’s no malicious code on your site.

    After doing this, the fix you applied should not be needed anymore for the settings page to work correctly.

    If you have any questions please let me know.

    Hi,

    The info you provided suggests you removed the plugin but not its settings, meaning the malware could have remained there and be loaded again after activating the plugin’n newest version.

    Keep in mind that by malware in this case I mean an iframe, script or similar code that can’t be loaded unless the plugin is active, which explains why there were no issues while the plugin was deactivated/uninstalled.

    Did you reset the plugin settings at any time? Also when you checked the database did you check for the option “mfbfw”? This is where the plugin stores its settings.

    If you can check again, make sure “mfbfw” in wp_options does not contain any iframes, script tags or similar suspicious code.

    Alternatively you can enable the plugin, go to its settings page and reset setting from there to start fresh.

    Hi acurran,

    Sorry for the inconvinience.

    There was a vulnerability in version 3.0.2 that was exploited for a brief period of time and patched as soon as it became know in February (more info). It’s likely the breach occurred back then, and the malware code remained in the database since then, or it might have occurred recently if the plugin was not up to date.

    Make sure to remove the malware if you haven’t already (if unsure, you can use the reset settings button to clean it), and check all instances of the plugin on other WordPress installations are clean and up to date.

    mangonyc,

    You can enable the uninstall option in the plugin’s settings, save, and then deactivate the plugin, and the two settings will be removed from the database.

    As you asked, you can also find the two rows via phpMyAdmin inside the wp_options table.

    Hi,

    Regarding fixing affected sites, from what I’ve seen it usually injected an iframe into the source of the site, stored in one of the plugin’s settings. In most cases this can be removed by reverting the plugin settings or manually checking the settings and finding the malicious code, removing it and saving the plugin’s settings. After doing that you can clear cache on the site and check your source code, to see there are no iframes or strange code added in the HEAD tag, especially between the <!– Fancybox for WordPress –> and <!– END of Fancybox for WordPress –> lines.

    As I said, I have only seen the vulnerability used for the iframe injection. Nevertheless, for sites that were indeed affected by the issue it’s not a bad idea to change admin and db passwords to be sure.

    For more info on the security issue that was found in February, please check https://www.ads-software.com/plugins/fancybox-for-wordpress/faq/

    Hi,

    v3.0.3 should remove most instances of the malware code, but if that doesn’t happen, make sure you have the latest version of the plugin and try to revert its settings from the plugin’s settings page, then clear any cache your WordPress site might be using.

    Hi,

    Have you tried using the HTML entity code for that character? Could it be that last time you had it set that way?

    Try using &rtrif; and &ltrif;

    You can find more codes here if necessary.

    Hi,

    I think CrossDomain is not a recognized setting in FancyBox, but as you mentioned iframe should work fine for something like video embedding, glad to hear it worked in the end!

    Hi,

    I see that part of the code had a couple of issues, an update to take care of it should be on the way soon…

    Hi,

    The site looks safe to me right now, but it would be best to check to make sure. The message from google means the vulnerability was exploited on the site. The only code i’ve personally seen being added to sites was an iframe that was posted in some site like WPTavern on the day it was discovered.

    I haven’t heard of any installation that had it’s admin panel hacked into as a result of the vulnerability.

    Also, looking at those links now shows no malicious code that i can see, but as i mentioned, it’s never a bad idea to run a malware scan. You can look for a plugin to do this if you don’t have one of your choice already: https://www.ads-software.com/plugins/search.php?q=malware+scanner

    The Google warnings could be from a cached version of the site too, so if you run any cache plugins, make sure it has been cleared.

    Once you’re certain there are no traces left, it would be a good idea to change passwords to be on the safe side.

    As for the patching of the issue, here’s a bit of info:

    On the day of discovering the issue i was notified and an update (v3.0.3) was released to fix the vulnerability hole. With v3.0.4 another change was made to clean the iframe or any other injected code from the database and stop it from appearing on affected installations. After being in contact with them, the WP.org security team set the update to v3.0.4 on automatic for all sites that support automatic updates. I think the autoupdate was left on for the following 24h, meaning a lot of people had the plugin updated without even knowing. After the autoupdate was disabled again, I released v3.0.5 which introduced just a few other minor fixes and changes.

    For more info you can check: https://www.ads-software.com/plugins/fancybox-for-wordpress/faq/

    Sorry for the inconvinience, let me know if you have any more questions.

Viewing 15 replies - 1 through 15 (of 120 total)