The plugin ‘Fancybox-for-WordPress’ has a zeroday exploit in the wild.
It has been removed from WordPress.org. If you are using this plugin, we suggest you remove it immediately.
Sucuri had a great writeup about this issue.
This is a great example why it is important to choose plugins carefully and keep them up to date.