CVE-2015-1494

NONE EPSS 92.8%
Published Feb 17, 201511y ago · Modified Jun 17, 20262w ago
Find Similar
Published Feb 17, 2015 11y ago
Last Modified Jun 17, 2026 2w ago

Description

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Threat Intelligence

EPSS Exploit Probability
92.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
colorlibfancybox* ≤3.0.2

References 8

  • blog.sucuri.net http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html
    Third Party Advisory
  • osvdb.org http://osvdb.org/show/osvdb/118543
    Broken Link
  • exploit-db.com http://www.exploit-db.com/exploits/36087
    ExploitThird Party AdvisoryVDB Entry
  • openwall.com http://www.openwall.com/lists/oss-security/2015/02/05/10
    Mailing List
  • securityfocus.com http://www.securityfocus.com/bid/72506
    Third Party AdvisoryVDB Entry
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/1082625/
    Issue Tracking
  • wordpress.org https://wordpress.org/plugins/fancybox-for-wordpress/changelog/
    Patch
  • wordpress.org https://wordpress.org/support/topic/possible-malware-2
    Exploit

Remediation

  • wordpress.org https://wordpress.org/plugins/fancybox-for-wordpress/changelog/
    Patch