Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

September 14, 2022

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.

Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.

“Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” Wordfence researcher Ram Gall said in an advisory.

WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username “rangex.”

Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn’t necessarily imply a successful breach.

Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Further details about the vulnerability have been withheld owing to active exploitation and to prevent other actors from taking advantage of the shortcoming. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available.

The development comes days after Wordfence warned of in-the-wild abuse of another zero-day flaw in a WordPress plugin called BackupBuddy.

The disclosure also arrives as Sansec revealed that threat actors broke into the extension license system of FishPig, a vendor of popular Magento-WordPress integrations, to inject malicious code that’s designed to install a remote access trojan called Rekoobe.

Tags
September 14, 2022

Related Articles

Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

October 28, 2022

Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity

June 17, 2022

Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

March 1, 2024

Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping

August 12, 2023
© Copyright 2024, All Rights Reserved  |  PlanetJon
Back to top button