cbcvebase.
CVE-2015-1494
published 2015-02-17

CVE-2015-1494: The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting…

PriorityP272medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.41%
92.8th percentile
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Affected

1 ranges
VendorProductVersion rangeFixed in
colorlibfancybox<= 3.0.2

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/admin-post.php
pathfancybox-for-wordpress.3.0.2.zip
filenamefancybox.php
commandmfbfw[padding]
  • Monitor POST requests to wp-admin/admin-post.php containing 'mfbfw[' parameter names combined with an 'action=update' parameter — this is the exact attack vector for CVE-2015-1494 stored XSS exploitation.
  • Alert on FancyBox for WordPress plugin versions prior to 3.0.3; version 3.0.2 is confirmed vulnerable and was actively exploited in the wild in February 2015.
  • ·The vulnerability does not require authentication — the access restriction bypass allows unauthenticated remote attackers to submit the update action, making this exploitable without valid WordPress credentials.
  • ·This is a stored (persistent) XSS, not reflected — the payload is written to the WordPress options table and served to all visitors, increasing blast radius beyond the initial request.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.