Hackers have actively exploited a zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway, potentially allowing malicious actors to take over affected sites completely.
The issue, tracked as CVE-2022-3180 (CVSS score: 9.8), is being weaponized to add a malicious administrator user to sites running the WPGateway plugin.
In an advisory, Wordfence researcher Ram Gall said, “Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. We released a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response customers to block the exploit on the same day. Sites still running the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022. The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.”
The WPGateway plugin is tied to the WPGateway cloud service and offers users a way to set up and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability CVE-2022-3180, allowing unauthenticated attackers to insert a malicious administrator.
Wordfence released a public service announcement (PSA) to its users. However, it has withheld certain details to prevent further exploitation.
How to identify compromise?
If you are checking to see if a website has been hacked, the most common sign is that someone has added a user with the name ‘rangex’. If you are able to see this user on your dashboard, it means your site is hacked.
Apart from this, you can check your site’s access logs whether there are requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1.
The presence of these requests in your logs indicates that your site has been attacked by exploiting this vulnerability. However, this does not confirm that the site has been successfully compromised.
Advisory by Wordfence has asked users with the WPGateway plugin installed, to remove it immediately until a patch is made available. Users also need to check for malicious administrator users in their WordPress dashboards.