Possible malware hidden in thousands of WordPress sites

There's a serious vulnerability in a WordPress plugin, and more than half a million websites are at risk.

Recent study by Sucuri Security has shown that a certain WordPress plugin – Fancybox – has a serious flaw which allows hackers to add malware, or any other vulnerable script to it.

Fancybox is a tool for displaying images, html content and multimedia in a Mac-style "lightbox" that floats overtop of a web page.

“After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information,” wrote Daniel Cid on the Sucuri blog.

This plugin has more than 550,000 downloads, Sucuri adds.

Senior security researcher at Malwarebytes, Jerome Seugra, says the popularity of WordPress makes it an interesting target for hackers.

“Half a million sites use the Fancybox-for-WordPress plugin, making them an interesting target for mass and automated attacks”, says Seugra.

“A vulnerable site can get remotely injected with malicious code so that it acts as a redirection platform to spammy content or even exploit kit landing pages. Third-party plugins have always been WordPress's Achille's heel for the lack of quality control and of course the fact that some developers may stop maintaining the plugin.”

“As a rule of thumb, WordPress site owners should ensure they run the minimum number of plugins to reduce the possible attack surface, as well as use proper security hygiene.

"Hardening a site with correct file permissions, limiting the number of administrator accounts, enforcing strong passwords, and installing a web application firewall are some of the techniques one can roll out to avoid getting hacked.”

WordPress is used in more than 23 per cent out of the top 10 million websites, making it one of the most popular blogging platforms available, recent study shows.