Hi,
The patch for 1.4 does not fix the vulnerability. I will be happy to discuss specific details with you off-forum if you would email me at the address above. Otherwise, is there an email address you can provide so I may send you specific details?
Administrators who had the vulnerable version of this plugin installed should also consider resetting their user sessions and credentials. The patch issued yesterday closes the exploit vector within the plugin, but depending on how an attacker chose to exploit the vulnerability, it could have lead to compromised user credentials or arbitrary code execution in the admin panel (this would have been a separate attack than the iframe being reported here).
Unfortunately it looks like the patch for this vulnerability has caused additional issues within the plugin, namely, a broken portion of the options page – https://www.cryptobells.com/fancybox-for-wordpress-zero-day-and-broken-patch/
