A WordPress plugin downloaded half a million times has been used in zero day attacks that served up malware.

The plugin in question is called FancyBox and creates a lightbox-like interface with which to look at images. It's been used by unknown actors to deliver a malicious iframe through a persistent cross-site scripting vulnerability identified by Russian researchers Gennady and Konstantin Kovshenin.

The duo provided details to Sucuri chief tech bod Daniel Cid who issued an advisory warning users to dump the plug in.

FancyBox's authors have updated the code, so users can now update to repaired versions that will close off the attack vector.

Cid said "many sites" were compromised but did not specify a figure.

@ipstenu @soulseekah "assuming they're ALL vulnerable" is how I look at all WordPress plugins in general ;) — Konstantin Kovshenin (@kovshenin) February 4, 2015

"After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site," Cid said.

"What makes things worse, is that it's being actively exploited in the wild, leading to many compromised websites."

WordPress pulled the plugin prior to the patch, as the vulnerability allowed random scripts to be loaded into vulnerable sites.

Reports first emerged of the bug on the WordPress forums where users reported iframes were being injected from website 203koko.

The vulnerability followed what was described as the "most serious" hole in five years, disclosed last November, that affected what was then estimated to be 86 per cent of WordPress websites. That cross-site scripting hole was found in the hugely-popular WP-Statistics plugin.

Earlier, Cid revealed 50,000 WordPress websites had been infected with dodgy malware that found its way into MailPoet, another in a long time of plugins to have put sites at risk. ®