Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

A zero-day flaw in the latest version of a premium WordPress plugin known as WPG Gateway is actively exploited in the wild, potentially allowing malicious actors to completely take control of affected sites.

Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious admin user to sites running the WPGateway plugin, WordPress security firm Wordfence noted.

“Part of the functionality of the plugin exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” said Wordfence researcher Ram Gall. said in a notice.

cyber security

WPGateway is billed as a way for site admins to install, backup, and clone WordPress plugins and themes from a unified dashboard.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username “rangex”.

Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted by the flaw, although it does not necessarily imply a successful breach.

Wordfence said it blocked more than 4.6 million attacks trying to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Further details about the vulnerability have been withheld due to active exploitation and to prevent other actors from taking advantage of the loophole. In the absence of a fix, users are recommended to remove the plugin from their WordPress installations until a fix is ​​available.

cyber security

The development comes days after Wordfence warned of abuse in the wild of another zero-day flaw in a WordPress plugin called BackupBuddy.

Disclosure also happens like Sansec revealed that threat actors have broken into the extension license system of FishPiga provider of popular Magento-WordPress integrations, to inject malicious code designed to install a remote access Trojan called Rekoobe.

Comments are closed.