CVE-2015-1494
NONE EPSS 92.8%
Published Feb 17, 201511y ago · Modified Jun 17, 20262w ago
Published Feb 17, 2015 11y ago
Last Modified Jun 17, 2026 2w ago
Description
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
Threat Intelligence
EPSS Exploit Probability
92.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| colorlib | fancybox | * | ≤3.0.2 |
References 8
- blog.sucuri.net http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html
- osvdb.org http://osvdb.org/show/osvdb/118543
- exploit-db.com http://www.exploit-db.com/exploits/36087
- openwall.com http://www.openwall.com/lists/oss-security/2015/02/05/10
- securityfocus.com http://www.securityfocus.com/bid/72506
- plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/1082625/
- wordpress.org https://wordpress.org/plugins/fancybox-for-wordpress/changelog/
- wordpress.org https://wordpress.org/support/topic/possible-malware-2
Remediation
- wordpress.org https://wordpress.org/plugins/fancybox-for-wordpress/changelog/