Headline
WPGateway WordPress plugin vulnerability could allow full site takeover
Categories: News Tags: WPGateway
Tags: WordPress
Tags: plugin
Tags: vulnerability
Tags: CVE
We take a look at a vulnerability being exploited in the wild related to the WPGateway WordPress plugin.
(Read more…)
The post WPGateway WordPress plugin vulnerability could allow full site takeover appeared first on Malwarebytes Labs.
There’s been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out there doing damage with no fix yet available. Sadly, this current exploit is an example of the latter.
WPGateway allows WordPress users to run WordPress sites from one dashboard. Unfortunately, research shows that part of this functionality puts both the site and the site’s users at risk.
Beware of rogue admins
The issue in question allows unauthenticated individuals to add rogue users to the site. Those unauthorised users have full admin privileges, which essentially results in a full site takeover thanks to the plugin.
At this point, the compromiser can do what they want with the hijacked website. They are in full control, which is not a great situation for anybody. The vulnerability is listed on the Common Vulnerabilities and Exposures site as CVE-2022-3180. However, no additional information is forthcoming yet as the page has merely been reserved at this point.
Active exploitation
The issue was first discovered on September 8, and is being actively exploited. There is very little additional information to go on at this point, as the specifics of the vulnerability are being withheld. As a result, people will largely be reliant on the WPGateway team to get a patch put together.
Detecting and avoiding compromise
Options are limited, but for now the main advice from Wordfence is this:
Remove the plugin installation until a patch is made available.
Check for malicious admin accounts in your WordPress dashboard. The username “rangex” is a common indicator of compromise.
You can also check site access logs for requests to: //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This indicates an attack attempt was made, but does not mean your site has been compromised. This is why checking for the “rangex” username is so important. Fingers crossed that this issue will receive a speedy patch from the plugin developers.
Stay safe out there!
Related news
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.
WordPress WPGateway plugin versions 3.5 and below suffer from an unauthenticated privilege escalation vulnerability.
A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence