CVE-2015-1494

Name: CVE-2015-1494
Creator: NVD / NIST
Published: 2015-02-17T15:59:05.623+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 6.41%

Last modified Jun 17, 2026

CVE-2015-1494 is a vulnerability of currently unknown severity. The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.. EPSS estimates a 6.41% chance of exploitation in the next 30 days.

Description

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Metrics

EPSS Probability

6.41%

92.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Colorlib	Fancybox	<= 3.0.2

References

http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.htmlThird Party Advisory
http://osvdb.org/show/osvdb/118543Broken Link
http://www.exploit-db.com/exploits/36087Exploit, Third Party Advisory, VDB Entry
http://www.openwall.com/lists/oss-security/2015/02/05/10Mailing List
http://www.securityfocus.com/bid/72506Third Party Advisory, VDB Entry
https://plugins.trac.wordpress.org/changeset/1082625/Issue Tracking
https://wordpress.org/plugins/fancybox-for-wordpress/changelog/Patch
https://wordpress.org/support/topic/possible-malware-2Exploit
http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.htmlThird Party Advisory
http://osvdb.org/show/osvdb/118543Broken Link
http://www.exploit-db.com/exploits/36087Exploit, Third Party Advisory, VDB Entry
http://www.openwall.com/lists/oss-security/2015/02/05/10Mailing List
http://www.securityfocus.com/bid/72506Third Party Advisory, VDB Entry
https://plugins.trac.wordpress.org/changeset/1082625/Issue Tracking
https://wordpress.org/plugins/fancybox-for-wordpress/changelog/Patch
https://wordpress.org/support/topic/possible-malware-2Exploit

Timeline

Published: Feb 17, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-1494?

How severe is CVE-2015-1494?

Severity scoring for CVE-2015-1494 is pending analysis. The EPSS model estimates a 6.41% probability of exploitation in the next 30 days.

How do I fix CVE-2015-1494?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-1494?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST