Wordfence Threat Intelligence warns that WordPress sites are under massive attack targeting the vulnerable WPGateway plugin, which offers backup and clone capabilities to users.
The zero-day vulnerability exploited by attackers has been identified as CVE-2022-3180 (CVSS score of 9.8). This critical bug allows an unauthenticated hacker to create an additional administrator account on the site, leading to a complete takeover of the site.
Wordfence reports that over the past 30 days, they have blocked more than 4.6 million attacks on this vulnerability, which were directed at more than 280,000 sites.
The most common sign that a WPGateway plugin site is compromised is the presence of an administrator with the username rangex. You should also look in the logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This would also indicate that the site was attacked, although such records do not necessarily indicate a successful hack.
So far, details about the vulnerability have not been disclosed, since detailed information will only help other attackers start exploiting the bug. Since there is no patch yet, users are advised to uninstall the plugin immediately, and not install it until a fix is available.