A zero-day vulnerability in WordPress is being exploited by hackers to infect thousands of websites, according to researchers at network security firm Sucuri.
Daniel Cid, founder and chief technology officer of Sucuri, discovered the campaign after being alerted to suspicious activity by security researchers Konstantin Kovshenin and Gennady Kovshenin.
"All the infections had a similar malicious iframe from '203koko' injected into the website. In analysing the infected websites, we found that all the websites were using the Fancybox-for-WordPress plugin," read the advisory.
"After some analysis, we can confirm that this plugin has a serious vulnerability that allows malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information."
Fancybox is a popular WordPress plugin used on over 550,000 sites. Cid said that, although exact infection numbers are unknown, the widespread use of the plugin means its potential for harm is high.
"What makes things worse is that it's being actively exploited in the wild, leading to many compromised websites. We could confirm via our Website Firewall logs by seeing many exploit attempts blocked," he said.
WordPress has since removed Fancybox from its repository, although Cid said that infections will continue until individual website owners remove the plugin.
"The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well," he said.
"If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts."
Open source solutions provider makes acquisition in bid to shore up cloud development tools business
Aims to "end data bottlenecks"
Looking to boost your career in IT? Here are the best-earning roles out there!
The BlackBerry KeyOne is a strange device that brings the best of BlackBerry and Android together in a Qwerty-equipped package, but it won't be for everyone