Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability


[![WordPress Sites](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj_xdieHFkFFbl7fmbgIdEcw72-cHjVGGE6Np2MRXOuPlbB36Q8eWf3fOmDAmEm5yrFb--gM194r5Pblo78MXEZYaoxUCmh5kYkxTwNdgu7rk-676BxL6m8DgpfwqFO3yY-x2o4kEq-Z_8j6kb_p_jENmjA856b0i8-bFjZH0u786I_FvlQgnbdFnJLMA/s728-e1000/wordpress-plugin-hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj_xdieHFkFFbl7fmbgIdEcw72-cHjVGGE6Np2MRXOuPlbB36Q8eWf3fOmDAmEm5yrFb--gM194r5Pblo78MXEZYaoxUCmh5kYkxTwNdgu7rk-676BxL6m8DgpfwqFO3yY-x2o4kEq-Z_8j6kb_p_jENmjA856b0i8-bFjZH0u786I_FvlQgnbdFnJLMA/s728-e100/wordpress-plugin-hacking.jpg>) A zero-day flaw in the latest version of a WordPress premium plugin known as [WPGateway](<https://www.wpgateway.com/>) is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as **CVE-2022-3180** (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted. "Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," Wordfence researcher Ram Gall [said](<https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/>) in an advisory. WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard. The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username "rangex." Additionally, the appearance of requests to "//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1" in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn't necessarily imply a successful breach. Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days. Further details about the vulnerability have been withheld owing to active exploitation and to prevent other actors from taking advantage of the shortcoming. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available. The development comes days after Wordfence warned of [in-the-wild abuse](<https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html>) of another zero-day flaw in a WordPress plugin called BackupBuddy. The disclosure also arrives as Sansec [revealed](<https://sansec.io/research/rekoobe-fishpig-magento>) that threat actors broke into the extension license system of [FishPig](<https://fishpig.co.uk/security-announcements/#X20220913>), a vendor of popular Magento-WordPress integrations, to inject malicious code that's designed to install a remote access trojan called [Rekoobe](<https://thehackernews.com/2022/06/new-syslogk-linux-rootkit-lets.html>). Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.