Zero-day in WPGateway WordPress plugin actively exploited in attacks

Sadia vera


The Wordfence Threat Intelligence team warned today that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin.

WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard.

This critical privilege escalation security flaw (CVE-2022-3180) enables unauthenticated attackers to add a rogue user with admin privileges to completely take over sites running the vulnerable WordPress plugin.

“On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin,” Wordfence senior threat analyst Ram Gall said today.

“The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.”

While Wordfence disclosed active exploitation of this security bug in the wild, it didn’t release additional information regarding these attacks and details regarding the vulnerability.

By withholding this info, Wordfence says that it wants to prevent further exploitation. This will also likely allow more WPGateway customers to patch their installations before other attackers develop their own exploits and join the attacks.

How to find if your site was hacked

If you want to check if your website was compromised in this ongoing campaign, you have to check for a new user with administrator permissions with the rangex username.

Additionally, requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 in the logs will show that your site was targeted in the attack but wasn’t necessarily compromised.

“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” Gall warned.

“If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild.”

Next Post

Read this before you post your location on social media

A social media post shows a celebrity dripping in expensive jewelry at a well-known locale. Shortly thereafter, gunman sweep in to forcibly relieve the celebrity of said bling. It’s a story we’ve heard multiple times over the years, most recently in relation to the fatal shooting of rapper PnB Rock […]