The WPGateway premium plugin has a zero-day vulnerability, which has been actively exploited by hackers to target WordPress websites.
This zero-day vulnerability in WPGateway premium plugin has been identified by cybersecurity researchers at Wordfence Threat Intelligence team.
In terms of the functionality of WPGateway, it allows administrators to simplify a number of tasks, such as:
- Setting up sites
- Backing up sites
- Managing themes
- Managing plugins
In this case, the 0-day vulnerability has been tracked as CVE-2022-3180. A rogue user with admin privileges can be added by an unauthenticated attacker to completely take over a site running this plugin without authentication.
- CVE ID: CVE-2022-3180
- Description: It’s a privilege escalation security flaw.
- CVSS Score: 9.8
- Severity: Critical
The Wordfence Threat Intelligence analysts became aware of this zero-day vulnerability on September 8, 2022 that was actively exploited by the threat actors.
A malicious user is being added to a site running the WPGateway plugin through this method in order to add a malicious administrator user.
More than 280,000 sites have been protected against more than 4.6 million attacks targeting this vulnerability by Wordfence. There has been no further information released by Wordfence regarding these attacks or details about the vulnerability.
This information has been withheld by Wordfence in order to prevent any further exploitation of the information.
It is recommended that you check the rangex username in the user account section of the Admin account on your website if you wish to determine whether or not your website has been compromised in the ongoing campaign.
A further indication is that requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. You can check your site logs to see if your server was targeted during the attack.
Download SWG – Secure Web Filtering – Free E-book