Is Your WordPress Site Compromised?

A recently discovered zero-day flaw in the latest version of the popular WordPress plugin known as WPGateway has been discovered being actively exploited in the wild, allowing malicious actors to control and completely take over affected sites. The plugin is touted as a means for site admins to install, backup, and clone WordPress plugins and themes from a unified dashboard.

A researcher from Wordfence, Ram Gall, said in the advisory that “Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.”

Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username “rangex.”

Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn’t necessarily imply a successful breach.

Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Owing to active exploitation and to prevent other actors from taking advantage of the shortcoming, further details about the vulnerability have been withheld from the public. Users are recommended to remove the plugin from their WordPress installations until a patch is available.

The development comes days after Wordfence warned of in-the-wild abuse of another zero-day flaw in a WordPress plugin called BackupBuddy.

The disclosure also arrives as Sansec revealed that threat actors broke into the extension license system of FishPig, a vendor of popular Magento-WordPress integrations, to inject malicious code that’s designed to install a remote access trojan called Rekoobe.

Categories
Archives
208-352-3268
support@sovereignservices.net

Home – About Us
Contact Us
Pricing
Line Card
Articles & Resources

Website Design
Remote Monitoring
Bitcoin Services
Consulting Services
Computer Repairs

Systems Administration
Network Administration
Domain Administration
Business Continuity
Data Protection

Twitter Linkedin MeWe icon


Copyright © Sovereign Services
All Rights Reserved.