Villains hack WordPress sites after 0-day in WPGateway plugin

The Wordfence Threat Intelligence team warns of attacks on WordPress sites that use an exploit for a zero-day vulnerability in the WPGateway plugin. During such attacks, attackers gain complete control over the target resource.

The WPGateway plugin allows WordPress site administrators to simplify certain tasks. For example, it can be used to easily customize or back up a web resource, as well as manage themes and plugins.

However, a critical hole was found in the plugin under the identifier CVE-2022-3180, allowing an unauthenticated attacker to add new users with administrator rights.

If a hypothetical cybercriminal makes good use of the exploit, he can gain full control over the victim’s website. Rem Gall from Wordfence writes the following regarding the vulnerability:

“On September 8, 2022, the Wordfence Threat Intelligence team became aware of the active exploitation of a 0-day vulnerability in real cyber attacks. The attackers added their own users with administrator rights to sites running the WPGateway plugin.”

“Over the past 30 days, the Wordfence firewall has been able to block over 4.6 million attacks using this 0-day targeting over 280,000 sites.”

Experts do not yet risk publishing additional details of the attacks, so as not to provoke a new wave. The perpetrators behind the attack are also not named. All owners of WordPress sites where the WPGateway plugin is installed should urgently install the patch.

Checking if your site has been hacked with this exploit is easy: try looking for a user named rangex on the system.

Read more

Explore the site

More from the blog

Latest News