A zero-day vulnerability in WordPress is being exploited by hackers to infect thousands of websites, according to researchers at network security firm Sucuri.
Daniel Cid, founder and chief technology officer of Sucuri, discovered the campaign after being alerted to suspicious activity by security researchers Konstantin Kovshenin and Gennady Kovshenin.
"All the infections had a similar malicious iframe from '203koko' injected into the website. In analysing the infected websites, we found that all the websites were using the Fancybox-for-WordPress plugin," read the advisory.
"After some analysis, we can confirm that this plugin has a serious vulnerability that allows malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information."
Fancybox is a popular WordPress plugin used on over 550,000 sites. Cid said that, although exact infection numbers are unknown, the widespread use of the plugin means its potential for harm is high.
"What makes things worse is that it's being actively exploited in the wild, leading to many compromised websites. We could confirm via our Website Firewall logs by seeing many exploit attempts blocked," he said.
WordPress has since removed Fancybox from its repository, although Cid said that infections will continue until individual website owners remove the plugin.
"The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well," he said.
"If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts."
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches