WordPress websites might be at risk after hackers exploited a zero-day vulnerability in the WPGateway premium plugin.
The WordFence threat intelligence team warned users of the WPGateway plugin — a premium add-on that allows WPGateway cloud users to facilitate various tasks on the website using a single board. The vulnerability was classified as CVE-2022-3180 (CVSS score of 9.8), which enables attackers to add an administrator account to websites using WPGateway.
WordPress is a GUI-based CMS (Content Management System) that helps website owners upload and list content. Once an attacker gets administrator privileges, they can practically take control over the website and even add/remove the administrators from it.
WPGateway plugin still poses threats
According to the WordPress security firm, the WPGateway plugin remains dangerous. The developer was informed of the security problem by Wordfence, but no fix has been released yet. The company is distributing the public service alert (PSA) to all the users because the threat actors have been abusing the zero-day vulnerability.
Moreover, the security company has withheld technical information on the vulnerability to avoid further exploitation. However, it released some indications of compromise (IoCs) to assist site administrators in determining whether their installations had been targeted.
How to check WPGateway exploits
The company has shared with users the ways to check WPGateway exploits using a straightforward method. The website administrator can inspect if any new user has been added to the website using ‘rangex’ username. Users whose ongoing exploit may have been impacted can check the users on their WordPress websites.
Additionally, the website administrator can use this link “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” to see if any attacker has attached itself to the website, and also if the threat has compromised the website or not.
The company has alerted users who had installed the WPGateway plugin and advised them to uninstall it from their websites until a security patch is released. It also requested users can check for any signs of malicious administrator users in your WordPress dashboard and to remove them immediately, if detected.
