CVE-2015-1494
Description
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FancyBox for WordPress plugin before 3.0.3 allows unauthenticated XSS via mfbfw parameters, actively exploited in February 2015.
Vulnerability
The FancyBox for WordPress plugin versions before 3.0.3 fail to properly restrict access to the update action in wp-admin/admin-post.php. An attacker can inject arbitrary JavaScript via any mfbfw[*] parameter (e.g., mfbfw[padding]) in a POST request. The vulnerability was introduced due to insufficient input sanitization and lack of capability checks. Affected versions: all prior to 3.0.3.
Exploitation
An unauthenticated remote attacker can send a crafted POST request to wp-admin/admin-post.php with action=update and malicious mfbfw[*] parameters. No authentication or user interaction is required. The attack was observed in the wild in February 2015, with exploit attempts blocked by web application firewalls [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the WordPress admin area, leading to cross-site scripting (XSS). This can be used to inject malicious iframes or scripts, compromise the site, and potentially escalate to full site takeover [3].
Mitigation
The vulnerability was fixed in version 3.0.3, released in February 2015 [2]. Users should immediately update to 3.0.3 or later. The plugin was temporarily removed from the WordPress repository during the incident [3]. No workaround is available; updating is the only mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- wordpress.org/plugins/fancybox-for-wordpress/changelog/nvdPatch
- www.exploit-db.com/exploits/36087nvdExploitThird Party AdvisoryVDB Entry
- wordpress.org/support/topic/possible-malware-2nvdExploit
- blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/72506nvdThird Party AdvisoryVDB Entry
- osvdb.org/show/osvdb/118543nvdBroken Link
- www.openwall.com/lists/oss-security/2015/02/05/10nvdMailing List
- plugins.trac.wordpress.org/changeset/1082625/nvdIssue Tracking
News mentions
0No linked articles in our index yet.