A zero-day vulnerability in WordPress is being exploited by hackers to infect thousands of websites, according to researchers at network security firm Sucuri.
Daniel Cid, founder and chief technology officer of Sucuri, discovered the campaign after being alerted to suspicious activity by security researchers Konstantin Kovshenin and Gennady Kovshenin.
"All the infections had a similar malicious iframe from '203koko' injected into the website. In analysing the infected websites, we found that all the websites were using the Fancybox-for-WordPress plugin," read the advisory.
"After some analysis, we can confirm that this plugin has a serious vulnerability that allows malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information."
Fancybox is a popular WordPress plugin used on over 550,000 sites. Cid said that, although exact infection numbers are unknown, the widespread use of the plugin means its potential for harm is high.
"What makes things worse is that it's being actively exploited in the wild, leading to many compromised websites. We could confirm via our Website Firewall logs by seeing many exploit attempts blocked," he said.
WordPress has since removed Fancybox from its repository, although Cid said that infections will continue until individual website owners remove the plugin.
"The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well," he said.
"If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago