Security
Headlines
HeadlinesLatestCVEs

Headline

WPGateway WordPress plugin vulnerability could allow full site takeover

Categories: News Tags: WPGateway

Tags: WordPress

Tags: plugin

Tags: vulnerability

Tags: CVE

We take a look at a vulnerability being exploited in the wild related to the WPGateway WordPress plugin.

(Read more…)

The post WPGateway WordPress plugin vulnerability could allow full site takeover appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#wordpress#php#auth

There’s been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out there doing damage with no fix yet available. Sadly, this current exploit is an example of the latter.

WPGateway allows WordPress users to run WordPress sites from one dashboard. Unfortunately, research shows that part of this functionality puts both the site and the site’s users at risk.

Beware of rogue admins

The issue in question allows unauthenticated individuals to add rogue users to the site. Those unauthorised users have full admin privileges, which essentially results in a full site takeover thanks to the plugin.

At this point, the compromiser can do what they want with the hijacked website. They are in full control, which is not a great situation for anybody. The vulnerability is listed on the Common Vulnerabilities and Exposures site as CVE-2022-3180. However, no additional information is forthcoming yet as the page has merely been reserved at this point.

Active exploitation

The issue was first discovered on September 8, and is being actively exploited. There is very little additional information to go on at this point, as the specifics of the vulnerability are being withheld. As a result, people will largely be reliant on the WPGateway team to get a patch put together.

Detecting and avoiding compromise

Options are limited, but for now the main advice from Wordfence is this:

  • Remove the plugin installation until a patch is made available.

  • Check for malicious admin accounts in your WordPress dashboard. The username “rangex” is a common indicator of compromise.

You can also check site access logs for requests to: //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This indicates an attack attempt was made, but does not mean your site has been compromised. This is why checking for the “rangex” username is so important. Fingers crossed that this issue will receive a speedy patch from the plugin developers.

Stay safe out there!

Related news

Go Update iOS, Chrome, and HP Computers to Fix Serious Flaws

Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.

WordPress WPGateway 3.5 Privilege Escalation

WordPress WPGateway plugin versions 3.5 and below suffer from an unauthenticated privilege escalation vulnerability.

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence