Researchers over at Wordfence’s Threat Intelligence team have warned of WordPress websites using the WPGateway being exploited using a zero-day vulnerability in the plugin. It’s a critical privilege escalation flaw tracked as CVE-2022-3180 that allows attackers to add a rogue user with admin privileges.
According to Wordfence, they’ve blocked over 4.6 million attacks targeting the vulnerability against more than 280.000 sites in the last 30 days. While the company has disclosed the fact that the flaw is being exploited, details regarding the vulnerability itself and attack vectors were withheld to prevent further exploitation.
This also allows WPGateway users to patch the plugin before additional attackers hop on the trend. The plugin vendor has also been informed of the issue, so a fix might very well be on the way.
As for the plugin itself, WPGateway is a premium plugin for the WPGateway cloud service that offers a way for its users to set up and manage multiple WordPress sites from a single dashboard. While it might be convenient, this functionality also explores a vulnerability allowing unauthenticated attackers to register malicious administrator accounts.
Wordfence has also provided compromise indicators for users to find out whether or not they’ve been targeted. The most common indicator of compromise is the presence of a malicious admin account named ‘rangex’. Additionally, if a user’s site logs have any requests to the URL given below, it can indicate that while the website was targeted with this exploit, it wasn’t necessarily compromised.
The company has also released firewall rules for its Wordfence Premium, Wordfence Care and Wordfence Response customers to block the exploit on September 8, the same day it discovered the vulnerability. Users running the free version of the plugin will also get protection, but only up to 30 days, that is, until October 8, 2022.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.