Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability


A zero-day flaw in the latest version of a premium WordPress plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.

Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious admin user to sites running the WPGateway plugin, WordPress security firm Wordfence noted.

“Part of the plugin’s functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” Wordfence researcher Ram Gall said in an advisory.

cyber security

WPGateway is billed as a way for site admins to install, backup, and clone WordPress plugins and themes from a unified dashboard.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username “rangex”.

Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted by the flaw, although it does not necessarily imply a successful breach.

Wordfence said it blocked more than 4.6 million attacks trying to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Further details about the vulnerability have been withheld due to active exploitation and to prevent other actors from taking advantage of the loophole. In the absence of a fix, users are recommended to remove the plugin from their WordPress installations until a fix is ​​available.

cyber security

The development comes days after Wordfence warned of abuse in the wild of another zero-day flaw in a WordPress plugin called BackupBuddy.

The disclosure also comes as Sansec revealed that threat actors broke into the extension licensing system of FishPig, a provider of popular Magento-WordPress integrations, to inject malicious code designed to install a trojan. remote access called Rekoobe.


Comments are closed.