CVE-2015-1494
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- February 05, 2015
- Published Date
- February 17, 2015
- Last Updated
- August 06, 2024
- Vendor
- WordPress
- Product
- FancyBox for WordPress plugin
- Description
- The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
- Tags
- Exploited in the Wild
- Yes (2015-02-17 15:00:00 UTC) Source
wordpress
php
CVSS Scores
CVSS v2.0
4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Exploit Status
References
http://www.securityfocus.com/bid/72506
http://www.openwall.com/lists/oss-security/2015/02/05/10
https://plugins.trac.wordpress.org/changeset/1082625/
http://www.exploit-db.com/exploits/36087
https://wordpress.org/plugins/fancybox-for-wordpress/changelog/
https://wordpress.org/support/topic/possible-malware-2
http://osvdb.org/show/osvdb/118543
http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2015-02-17 15:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel