The FancyBox for WordPress Vulnerability

…and how the exploit really worked

Last week a very popular plugin called FancyBox for WordPress was hit with a zero-day vulnerability which I happened to experience first-hand and dig into. If you’ve not heard about this here are a couple of links to get you up to speed:

The plugin was force-updated (where possible) on WordPress sites out there. This is the full disclosure of how the exploit worked.

Here’s the changeset that shows the piece of vulnerable code: https://plugins.trac.wordpress.org/changeset/1082625/fancybox-for-wordpress. The full function over at line 334 was called on the admin_init action. But if you look at the function in the previous revision it never checked for administration privileges, it just wrote the option without asking anyone anything.

This might come as a surprise to some, but admin_init can be triggered outside of an authenticated context – for example when making a call to wp-admin/admin-ajax.php, or wp-admin/admin-post.php (used originally in the wild). Triggering the necessary action and adding the necessary request data to push any values into the FancyBox options row was thus very trivial.

Simply make everything evaluate to true.

curl --data 'mfbfw[extraCalls]=PERSISTENT XSS&mfbw[extraCallsEnable]=on' http://target.lo/wp-admin/admin-ajax.php\?action=update\&page=fancybox-for-wordpress

Simple as that. By inserting JavaScript code into extraCalls an attacker got persistent XSS. FancyBox for WordPress simply output the value written in the database.

While the initial exploit was a mere iframe that targeted IE users (probably targeting this unpatched vulnerability), chaining this initial injection with cookie theft might result in compromised user accounts. And from there, depending on what account gets compromised – editing PHP files to achieve arbitrary code execution and everything that follows.

Stay safe and good luck!