CVE-2015-1494

Name of the Vulnerable Software and Affected Versions FancyBox for WordPress versions prior to 3.0.3

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a mfbfw[*] parameter in an update action to "wp-admin/admin-post.php". This has been exploited in the wild, as demonstrated by the mfbfw[padding] parameter.

Recommendations For versions prior to 3.0.3, update to version 3.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-post.php" endpoint to minimize the risk of exploitation. Avoid using the mfbfw[*] parameter in the affected endpoint until the issue is resolved.