WordPressプラグイン「Easy FancyBox」の脆弱性

Last updated: May 28, 2020 at 3:12 AM

Actually, I have been worried for a long time.
Since February of this year, there have been many incidents in which websites have been falsified into pages claiming to be Islamic State due to vulnerabilities in the popular WordPress plugin "FancyBox for WordPress". 👉 Cross-site scripting vulnerability in FancyBox plugin for WordPress
It seems that the latest version has already taken countermeasures. Is the plug-in "Easy FancyBox" used on this site really ok? ?

So I surveyed WordPress forums.
The following is a Q & A related to it.
I couldn't translate it with Google Translate, so I first translated it into Japanese.
(Maybe wrong)
It's a very simple answer, but it looks okay for now! (^ _-)

In addition, it seems that "the two plugins are shared" mentioned in the answer may mean "jQuery".

https://wordpress.org/support/topic/general-question-about-security

Easy FancyBox
[resolved] General question about security (2 posts)

BackpackersUnion
Member
Posted 1 month ago #

Hi RavanH,

This is probably old news to you, but I wanted to ask if the code exploit found in the other plugin “FancyBox” is relevant to your plugin? I’m not sure if they’re related to each other in any other way except the name, but wanted to ask.

Thanks for all your great work and here’s a link to the article

Thanks again,
Carl

https://wordpress.org/plugins/easy-fancybox/

——————————————————————-
RavanH
Member
Plugin Author
Posted 1 month ago #

Hi, no. Although the two plugins share more than the name (the script is called fancybox), the exploit was plugin specific.

Easy FancyBox
[解決]セキュリティに関する一般的な質問（2記事）

BackpackersUnion
メンバー
一月前に投稿されました＃

RavanH こんにちは

これは、あなたにとって古いニュースかもしれませんが、もし他のプラグン「FancyBox」で、そのコードの脆弱性が見つかったならば、あなたのプラグインと関連するのかを尋ねたい。
もし、それらがその名前を除き、他の何らかの方法でお互いに関連しているのかどうか、私はわかりませんが、お伺いしたいです。
あなたの全ての偉大な仕事に感謝し、そして、ここはその記事へのリンクです。

再度、感謝します。
カール

https://wordpress.org/plugins/easy-fancybox/

———————————————————————-
RavanH
メンバー
プラグインの作者
一月前に投稿されました＃

こんにちわ、いいえ。
その名（スクリプトがfancyboxと呼ばれている）以上に二つのプラグインが共有するのですが、その脆弱性はプラグインの仕様でした。

* April 23
In this case, the new release of WordPress shown in the link below, cross-site scripting vulnerability has been improved, it seems to have further enhanced security. (This site has already been updated to the new version.)

WordPress 4.1.2 Security Release

Updating to a new version of WordPress is urgent, but instead WordPress and plugins may malfunction.

* May 9th Postscript
The release of WordPress 4.2.2 fixes vulnerabilities and most bugs in WordPress 4.1.2 / 4.2 / 4.2.1.