Vulnerability analysis: WordPress image plugin Fancybox-For-WordPress vulnerability to cause the batch hung it-vulnerability warning-the black bar safety net

ID MYHACK58:62201559310
Type myhack58
Reporter 佚名
Modified 2015-02-22T00:00:00



Fancybox For WordPress is a great WordPress picture plugin, it can make your WordPress images pop up a nice browsing interface, showing the rich pop-up layer effect.

Last week security researchers found that some Wordpress blogs suffered a batch hung it, and these blogs have in common is to install the Fancybox plug-in. Researchers through the analysis, found this plug-in vulnerabilities.

Vulnerability analysis

This vulnerability exists in less than 3. 0. 2 version of the plugin, and the exploit is one for the wp plugin, one of the more common attack pathways: without the protection of the admin_init hook.


Due to the admin_init hook can be any access/wp-admin/admin-post. php or/wp-admin/admin-ajax. php page the person the call, the attacker can place the plugin in the“mfbfw”option to change into any content.

That this option is doing?


We found many places are using this option. While our attention is mfbfw_init()Function, This function will display a jQuery script, using our prior in the mfbfw_admin_options()function to set the parameters.


On the figure you can see,$settings no processing on the output.

So an attacker if used without protection the admin_init hook can be in is to attack the site all the pages to inject malicious javascript to attack the load, such as malicious iframe.