A zero-day vulnerability in WordPress is being exploited by hackers to infect thousands of websites, according to researchers at network security firm Sucuri.
Daniel Cid, founder and chief technology officer of Sucuri, discovered the campaign after being alerted to suspicious activity by security researchers Konstantin Kovshenin and Gennady Kovshenin.
"All the infections had a similar malicious iframe from '203koko' injected into the website. In analysing the infected websites, we found that all the websites were using the Fancybox-for-WordPress plugin," read the advisory.
"After some analysis, we can confirm that this plugin has a serious vulnerability that allows malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information."
Fancybox is a popular WordPress plugin used on over 550,000 sites. Cid said that, although exact infection numbers are unknown, the widespread use of the plugin means its potential for harm is high.
"What makes things worse is that it's being actively exploited in the wild, leading to many compromised websites. We could confirm via our Website Firewall logs by seeing many exploit attempts blocked," he said.
WordPress has since removed Fancybox from its repository, although Cid said that infections will continue until individual website owners remove the plugin.
"The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well," he said.
"If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts."
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago
A nuclear strike has been considered, but Bruce Willis is nowhere in sight
Spray-on antenna could enable seamless integration of antennas with everyday objects
Parker Solar Probe, TESS and GOLD missions will deliver exciting data, claims NASA