Actively Exploited Zero-Day CVE-2022-3180 Found in Popular WordPress Plugin

CVE-2022-3180

More than 280,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the WPGateway plugin, the Wordfence team at WordPress security company Defiant warns.

The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to set up and manages WordPress sites from a single dashboard.

This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in WPGateway. Tracked as CVE-2022-3180 and featuring a CVSS score of 9.8, the security bug allows unauthenticated attackers to add a malicious user with admin privileges to completely take over sites.

CVE-2022-3180

On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin,” Wordfence senior threat analyst Ram Gall said. “The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.

Wordfence has refrained from providing further details on the vulnerability but says it will release additional technical information once a patch has been released. However, the security firm did share indicators of compromise (IOCs), which include the presence of “a malicious administrator with the username of rangex.”

Also, the admin can check your site’s access logs for requests to  //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 to know that wherever your site has been attacked using an exploit targeting the CVE-2022-3180 vulnerability. But it does not necessarily indicate that it has been successfully compromised.

If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” Gall concluded.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild.

In related news, Wordfence has seen a massive surge in the number of attack attempts targeting the vulnerability in the BackupBuddy WordPress plugin, with 4,948,926 attacks.