Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock) (Image credit: Shutterstock)

A zero-day vulnerability found in a premium WordPress plugin is being actively exploited in the wild, researchers are saying, urging users to remove it from their websites until a patch is released.

WordPress security plugin makers WordFence uncovered a flaw in WPGateway, a premium plugin helping admins manage other WordPress plugins and themes from a single dashboard.

According to the researchers, the flaw is tracked as CVE-2022-3180, and carries a severity score of 9.8. It allows threat actors to create an admin user on the platform, meaning they’d have the ability to take over the entire website if they so pleased. 

Millions of attacks

"Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," said Ram Gall, Wordfence researcher.

Wordfence added it successfully blocked more than 4.6 million attacks, against more than 280,000 sites, in the last month, alone. That also means that the number of attacked (and possibly compromised) websites is probably much, much larger. 

A patch for the flaw is not yet available, the researchers said, and there is no workaround. The only way to stay safe, for the time being, is to remove the plugin from the website altogether, and wait for the patch to arrive, researchers stressed. 

Webmasters looking for indicators of compromise should check their sites for admin accounts named “rangex”. Furthermore, they should look for requests to "//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1" in the access logs, as that is a sign of an attempted breach. This sign, however, doesn’t necessarily mean it was successful.

Other details are scarce for the moment, given the fact that the flaw is being actively exploited, and that the fix is not yet available. 

WordPress is the world’s most popular website builder, and as such, is under constant attack by cybercriminals. While the platform itself is generally considered safe, its plugins, of which there are hundreds of thousands, are often the weak link that leads to compromise.

Via: The Hacker News

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.