WPGateway plugin, a premium WordPress plugin, has a zero-day vulnerability that is already being aggressively abused in the wild. This gives bad actors the capability to entirely take over vulnerable websites.
According to WordPress security firm Wordfence, the vulnerability, identified as CVE-2022-3180 (CVSS score: 9.8). The vulnerability is being exploited to install a malicious administrator user to websites using the WPGateway plugin.
According to Wordfence researcher Ram Gall’s report, part of the plugin functionality exposes a vulnerability. That functionality permits unauthenticated attackers to inject a malicious administrator.
WordPress plugins and themes may be installed, backed up, and copied using WPGateway, according to its advertising.
The presence of an administrator with the username “range”. It is the most typical sign that a website using the plugin has been hijacked.
Moreover, the emergence of queries to “/wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp new credentials=1 “the WordPress site has been targeted using the vulnerability. But it does not necessarily mean a successful breach, as may be seen in the access logs.
In the last 30 days, Wordfence claimed to have stopped over 4.6 million attempts to exploit the vulnerability against more than 280,000 sites.
We have suppressed additional information regarding WPGateway plugin’s zero-day vulnerability due to active exploitation and to stop other adversaries from utilizing the weakness. Users should uninstall the plugin from their WordPress installations until a patch is available if there isn’t one already.
The change occurred a few days after Wordfence issued a warning on the use of a different zero-day vulnerability in a WordPress plugin called BackupBuddy.
In addition, Sansec disclosed that threat actors had injected malicious code intended to install the Rekoobe remote access trojan into FishPig’s extension license system, a supplier of popular Magento-WordPress integrations.