CVE-2015-1494

EXPLOITED IN THE WILD

FancyBox for WordPress <3.0.3 - XSS

Title source: llm

Exploitation Summary

CVE-2015-1494 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including NULLpOint7r.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the WordPress plugin Fancybox-for-WordPress (version 3.0.2). The vulnerability arises due to insufficient sanitization of user input in the 'mfbfw[padding]' parameter, allowing arbitrary JavaScript execution.

Description

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Exploits (1)

exploitdb WORKING POC VERIFIED

by NULLpOint7r · textwebappsphp

https://www.exploit-db.com/exploits/36087

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the WordPress plugin Fancybox-for-WordPress (version 3.0.2). The vulnerability arises due to insufficient sanitization of user input in the 'mfbfw[padding]' parameter, allowing arbitrary JavaScript execution.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Fancybox-for-WordPress 3.0.2

Auth required

Prerequisites: Access to a WordPress admin account · Plugin installed and activated

MITRE ATT&CK