WordPress sites with the plug-in Fancybox-for-WordPress should apply a critical security update released Thursday that fixes a vulnerability already exploited by attackers.
Researchers from Web security firm Sucuri issued a warning about the vulnerability Wednesday after seeing attacks that injected a malicious iframe into websites.
Fancybox-for-WordPress has been downloaded almost 600,000 times from the official WordPress plug-in repository to date.
"After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site," the Sucuri researchers said in a blog post in which they advised users to remove the plug-in because the flaw was unpatched.
That might no longer be necessary as the plug-in's developers released two new versions in rapid succession Thursday to fix the vulnerability. Version 3.0.3 addresses the actual flaw, while version 3.0.4 renames the plug-in setting where the issue originated.
"This should stop the malicious code from appearing on sites where the plugin is updated without removing the malicious code," the plug-in developers said in the changelog.
Users are advised to update to the latest version -- 3.0.4.
WordPress sites are a favorite target for hackers, who compromise them to host malicious content and spam pages or to try and gain control of the underlying Web servers. Vulnerabilities in WordPress plug-ins and themes have been exploited before in large scale attacks that compromised thousands of websites.