Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

WordPress Sites

A zero-day flaw in the latest version of a WordPress premium
plugin known as WPGateway[1]
is being actively exploited in the wild, potentially allowing
malicious actors to completely take over affected sites.

Tracked as CVE-2022-3180 (CVSS score: 9.8), the
issue is being weaponized to add a malicious administrator user to
sites running the WPGateway plugin, WordPress security company
Wordfence noted.

“Part of the plugin functionality exposes a vulnerability that
allows unauthenticated attackers to insert a malicious
administrator,” Wordfence researcher Ram Gall said[2]
in an advisory.

CyberSecurity

WPGateway is billed as a means for site administrators to
install, backup, and clone WordPress plugins and themes from a
unified dashboard.

The most common indicator that a website running the plugin has
been compromised is the presence of an administrator with the
username “rangex.”

Additionally, the appearance of requests to
“//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1”
in the access logs is a sign that the WordPress site has been
targeted using the flaw, although it doesn’t necessarily imply a
successful breach.

Wordfence said it blocked over 4.6 million attacks attempting to
take advantage of the vulnerability against more than 280,000 sites
in the past 30 days.

Further details about the vulnerability have been withheld owing
to active exploitation and to prevent other actors from taking
advantage of the shortcoming. In the absence of a patch, users are
recommended to remove the plugin from their WordPress installations
until a fix is available.

CyberSecurity

The development comes days after Wordfence warned of in-the-wild abuse[3]
of another zero-day flaw in a WordPress plugin called
BackupBuddy.

The disclosure also arrives as Sansec revealed[4]
that threat actors broke into the extension license system of
FishPig[5], a vendor of popular
Magento-WordPress integrations, to inject malicious code that’s
designed to install a remote access trojan called Rekoobe[6].

References

  1. ^
    WPGateway
    (www.wpgateway.com)
  2. ^
    said
    (www.wordfence.com)
  3. ^
    in-the-wild abuse
    (thehackernews.com)
  4. ^
    revealed
    (sansec.io)
  5. ^
    FishPig
    (fishpig.co.uk)
  6. ^
    Rekoobe
    (thehackernews.com)

Read more