Threat actors are actively exploiting a zero-day in WPGateway WordPress plugin

Pierluigi Paganini September 14, 2022

Threat actors are actively exploiting a zero-day vulnerability in the WPGateway premium plugin to target WordPress websites.

The Wordfence Threat Intelligence team reported that threat actors are actively exploiting a zero-day vulnerability (CVE-2022-3180) in the WPGateway premium plugin in attacks aimed at WordPress sites.

The WPGateway plugin is a premium plugin that allows users of the WPGateway cloud service to setup and manage WordPress sites from a single dashboard.

The CVE-2022-3180 flaw is a privilege escalation security issue, an unauthenticated attacker can trigger the flaw to add a rogue user with admin privileges to completely take over the sites running the vulnerable WordPress plugin.

“On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin.” reads the advisory published by Wordfence.

Wordfence reported that its firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.

The company did not share technical details about the attacks to prevent further exploitation in attacks in the wild.

Any way the company shared Indicators of compromise (IoCs) to allow WordPress admins to determine it their WordPress site has been compromised.

The most common indicator of compromise is a malicious administrator with the username of rangex.

Admins can also check their site’s access logs for requests to

//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1

The presence of these requests in the logs indicates that the threat actors attempted to exploit this vulnerability, but it doesn’t imply that the attack has been successfully compromised.

“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” the advisory concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment