← Back to CVEs
CVE-2015-1494
N/ADescription
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
CVE Details
CVSS v3.1 ScoreN/A
Published2/17/2015
Last Modified4/12/2025
Sourcenvd
Honeypot Sightings0
Affected Products
colorlib:fancybox
Weaknesses (CWE)
CWE-79
References
http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html(secalert@redhat.com)
http://osvdb.org/show/osvdb/118543(secalert@redhat.com)
http://www.exploit-db.com/exploits/36087(secalert@redhat.com)
http://www.openwall.com/lists/oss-security/2015/02/05/10(secalert@redhat.com)
http://www.securityfocus.com/bid/72506(secalert@redhat.com)
https://plugins.trac.wordpress.org/changeset/1082625/(secalert@redhat.com)
https://wordpress.org/plugins/fancybox-for-wordpress/changelog/(secalert@redhat.com)
https://wordpress.org/support/topic/possible-malware-2(secalert@redhat.com)
http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html(af854a3a-2127-422b-91ae-364da2661108)
http://osvdb.org/show/osvdb/118543(af854a3a-2127-422b-91ae-364da2661108)
http://www.exploit-db.com/exploits/36087(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2015/02/05/10(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/72506(af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/changeset/1082625/(af854a3a-2127-422b-91ae-364da2661108)
https://wordpress.org/plugins/fancybox-for-wordpress/changelog/(af854a3a-2127-422b-91ae-364da2661108)
https://wordpress.org/support/topic/possible-malware-2(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.