1 min read

WPGateway WordPress Plugin Zero-Day Flaw Actively Exploited in Recent Attacks

Vlad CONSTANTINESCU

September 14, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
WPGateway WordPress Plugin Zero-Day Flaw Actively Exploited in Recent Attacks

Wordfence Threat Intelligence researchers identified a WPGateway zero-day flaw that has been wielded in recent attacks against WordPress websites running the plugin.

The vulnerability, tracked as CVE-2022-3180, is an unauthenticated privilege escalation flaw that could let attackers add a rogue administrator account to vulnerable websites. Perpetrators could abuse the malicious account’s administrator privileges to take over compromised sites completely.

WPGateway is a premium plugin that gives WPGateway cloud users a dashboard to configure and manage WordPress websites. An essential component of the plugin facilitates access to the vulnerability that allows unauthenticated attackers to add fake administrator accounts to the dashboard.

“As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users,” reads Wordfence’s security advisory. “We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.”

The vulnerability affects versions 3.5 and earlier of the plugin, and developers are yet to release a patch. Wordfence recommends that affected users remove the plugin completely until an official fix is released. Furthermore, the company rolled out a series of firewall rules for its Premium, Response and Care tiers and will do the same for Free tier users 30 days later.

Wordfence’s security advisory also included some indicators of compromise to help users determine whether their sites have fallen prey to the vulnerability. The most common clue is the presence of an administrator user account named rangex. Seeing the username in the dashboard means that the website has been compromised.

Another way to assess the website’s exposure to the attack is to check its access logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. Identifying the requests in the website’s logs is a solid indicator that it was targeted by an attack leveraging the WPGateway flaw, but it doesn’t necessarily mean it’s also been compromised.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities
Vlad CONSTANTINESCU

September 30, 2022

2 min read
US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds
Filip TRUȚĂ

September 29, 2022

1 min read
Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen
Vlad CONSTANTINESCU

September 29, 2022

1 min read