WPGateway, a premium WordPress plugin, has a zero-day vulnerability that is already being aggressively abused in the wild, giving bad actors the capability to entirely take over vulnerable websites.
According to WordPress security firm Wordfence, the vulnerability, identified as CVE-2022-3180 (CVSS score: 9.8), is being exploited to install a malicious administrator user to websites using the WPGateway plugin.
According to a Wordfence researcher Ram Gall’s report, “part of the plugin functionality exposes a vulnerability that permits unauthenticated attackers to inject a malicious administrator.”
WordPress plugins and themes may be installed, backed up, and copied using WPGateway, according to its advertising.
The presence of an administrator with the username “rangex” is the most typical sign that a website using the plugin has been hijacked.
Moreover, the emergence of queries to “/wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp new credentials=1 “the WordPress site has been targeted using the vulnerability, but it doesn’t necessarily mean a successful breach, may be seen in the access logs.
In the last 30 days, Wordfence claimed to have stopped over 4.6 million attempts to exploit the vulnerability against more than 280,000 sites.
Due to active exploitation and to stop other actors from exploiting the weakness, additional information regarding the vulnerability has been suppressed. Users are advised to delete the plugin from their WordPress installations up until a fix is released if there isn’t a patch.
The change occurs a few days after Wordfence issued a warning on the use of a different zero-day vulnerability in a WordPress plugin called BackupBuddy.
In addition, Sansec disclosed that threat actors had injected malicious code intended to install the Rekoobe remote access trojan into FishPig’s extension license system, a supplier of popular Magento-WordPress integrations.