A significant security vulnerability has been discovered in a popular premium WordPress plugin, WPGateway, with the potential for active exploitation in real-world conditions. This zero-day flaw allows malicious actors to gain complete control over affected WordPress sites, posing a substantial risk to web administrators who utilize this tool.
The vulnerability, designated as CVE-2022-3180 and assigned a critical CVSS score of 9.8, facilitates the insertion of a rogue administrator account into sites using the WPGateway plugin. This alarming detail was highlighted by Wordfence, a cybersecurity firm dedicated to WordPress security. The researcher Ram Gall explained that the plugin’s inherent functionality inadvertently exposes a pathway for unauthorized users to create such accounts.
WPGateway is designed to streamline the process of installing, backing up, and cloning WordPress plugins and themes from a consolidated dashboard, making its compromise particularly concerning. Notably, website owners can detect potential breaches by checking for the presence of an administrator account labeled “rangex.” Another indicator of attempted exploitation includes tracking access logs for requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1,” although these requests do not guarantee a successful compromise.
Wordfence reported that, within the past 30 days, they thwarted over 4.6 million attempts to exploit this vulnerability on more than 280,000 sites, underscoring the aggressive nature of this attack vector.
Active exploitation of this flaw has raised concerns within the cybersecurity community. As such, essential details have been withheld to prevent adversaries from leveraging this information further. Until a patch is developed, Wordfence recommends that web administrators uninstall the WPGateway plugin from their WordPress environments to secure their sites.
This vulnerability incident parallels a recent alert regarding a zero-day flaw in another WordPress plugin, BackupBuddy, indicating a troubling trend in the security landscape for WordPress-based platforms. Furthermore, a separate security revelation from Sansec indicated that threat actors compromised FishPig’s extension license system to inject a remote access trojan known as Rekoobe into systems—a tactic that aligns with advanced persistent threat strategies.
In terms of the potential MITRE ATT&CK tactics involved in this incident, the attack appears to leverage initial access and privilege escalation techniques. The methods employed by attackers may include exploiting the weakness to introduce unauthorized accounts while maintaining persistence through the malicious roles they create. As cyber threats continue to evolve, vigilance and proactive measures remain necessary for safeguarding digital assets.
This incident serves as a reminder of the vulnerabilities that can exist in widely used software and the importance of maintaining a robust security posture to mitigate risks effectively.
