CVE-2015-1494
published 2015-02-17CVE-2015-1494: The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting…
PriorityP272medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.41%
92.8th percentile
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| colorlib | fancybox | <= 3.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to wp-admin/admin-post.php containing 'mfbfw[' parameter names combined with an 'action=update' parameter — this is the exact attack vector for CVE-2015-1494 stored XSS exploitation. ↗
- →Alert on FancyBox for WordPress plugin versions prior to 3.0.3; version 3.0.2 is confirmed vulnerable and was actively exploited in the wild in February 2015. ↗
- ·The vulnerability does not require authentication — the access restriction bypass allows unauthenticated remote attackers to submit the update action, making this exploitable without valid WordPress credentials. ↗
- ·This is a stored (persistent) XSS, not reflected — the payload is written to the WordPress options table and served to all visitors, increasing blast radius beyond the initial request. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-44cc-c4hq-r7vv: The FancyBox for WordPress plugin before 3
ghsa_unreviewed·2022-05-13
CVE-2015-1494 [MEDIUM] CWE-79 GHSA-44cc-c4hq-r7vv: The FancyBox for WordPress plugin before 3
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
VulnCheck
colorlib fancybox Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2015·CVSS 4.3
CVE-2015-1494 [MEDIUM] colorlib fancybox Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
colorlib fancybox Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
Affected: colorlib fancybox
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; https://www.cve.org/CVERecord?id=CVE-2015-1494
No detection rules found.
No writeups or analysis indexed.
http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.htmlhttp://osvdb.org/show/osvdb/118543http://www.exploit-db.com/exploits/36087http://www.openwall.com/lists/oss-security/2015/02/05/10http://www.securityfocus.com/bid/72506https://plugins.trac.wordpress.org/changeset/1082625/https://wordpress.org/plugins/fancybox-for-wordpress/changelog/https://wordpress.org/support/topic/possible-malware-2http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.htmlhttp://osvdb.org/show/osvdb/118543http://www.exploit-db.com/exploits/36087http://www.openwall.com/lists/oss-security/2015/02/05/10http://www.securityfocus.com/bid/72506https://plugins.trac.wordpress.org/changeset/1082625/https://wordpress.org/plugins/fancybox-for-wordpress/changelog/https://wordpress.org/support/topic/possible-malware-2
2015-02-17
Published
Exploited in the wild