Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-1494

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2015-1494
Last Modified 09 Mar 2015 10:00:19
Published 17 Feb 2015 10:59:05
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2015-1494

Summary

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Vulnerable Systems

Application

  • Fancybox Project Fancybox 3.0.2


References

MISC - https://wordpress.org/support/topic/possible-malware-2

CONFIRM - https://wordpress.org/plugins/fancybox-for-wordpress/changelog/

CONFIRM - https://plugins.trac.wordpress.org/changeset/1082625/

BID - 72506

MLIST - [oss-security] 20150205 Re: CVE request for Zero-day in the Fancybox-for-WordPress Plugin

MISC - http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html

EXPLOIT-DB - 36087

OSVDB - 118543


Last Updated: 27 May 2016 11:07:52