Hackers attack WordPress sites after 0-day in WPGateway plugin

Wordfence Threat Intelligence warns that WordPress sites are under massive attack targeting the vulnerable WPGateway plugin, which offers backup and clone capabilities to users.

The zero-day vulnerability exploited by attackers has been identified as CVE-2022-3180 (CVSS score of 9.8). This critical bug allows an unauthenticated hacker to create an additional administrator account on the site, leading to a complete takeover of the site.

Wordfence reports that over the past 30 days, they have blocked more than 4.6 million attacks on this vulnerability, which were directed at more than 280,000 sites.

The most common sign that a WPGateway plugin site is compromised is the presence of an administrator with the username rangex. You should also look in the logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This would also indicate that the site was attacked, although such records do not necessarily indicate a successful hack.

So far, details about the vulnerability have not been disclosed, since detailed information will only help other attackers start exploiting the bug. Since there is no patch yet, users are advised to uninstall the plugin immediately, and not install it until a fix is ​​available.

Priyanka Sharma
Priyanka Sharma
I am Priyanka, currently dedicating myself entirely to writing for ournethelps.com. In my role as a writer, I am committed to producing content of exceptional quality and collaborate closely with the ONH Team to ensure the delivery of outstanding material. Outside of work, my hobbies include creating humorous videos for my Instagram, YouTube, and Facebook channels.

Latest Articles