Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin.
A typical malicious injection looks like this:
Such attacks use the documented exploit code to inject malicious code into the “padding” value.
The exploited vulnerability had been fixed on February 4th. Nonetheless, many blogs failed to update the plugin and hackers routinely find such blogs and infect them.
The today’s attack also uses this exploit and modifies the “padding” value, but the code it injects cannot be called malicious:
When visitors load such “infected” pages, they see this warning:
WARNING: This version of the Fancybox for WordPress plugin has expired!
Please upgrade to the latest version!
And when they click on the “OK” button, they automatically get redirected to the Fancybox for WordPress changelog page in the official WordPress plugin repository.
On one hand, this infection makes blogs unusable since it redirects visitors to WordPress plugin repository before they can read anything. On the other hand, it is very hard to ignore such a warning — if site owners want people to visit their sites they have to upgrade (or remove) the vulnerable version of the plugin ASAP.
Now is the time to check if your blog shows such warnings. If you don’t see them, it’s not a reason to relax and wait for such a hard push to upgrade. Make sure all your themes and plugins are up-to-date now.