Hackers attack WordPress sites after 0-day in WPGateway plugin

Wordfence Threat Intelligence warns that WordPress sites are under massive attack targeting the vulnerable WPGateway plugin, which offers backup and clone capabilities to users.

The zero-day vulnerability exploited by attackers has been identified as CVE-2022-3180 (CVSS score of 9.8). This critical bug allows an unauthenticated hacker to create an additional administrator account on the site, leading to a complete takeover of the site.

Wordfence reports that over the past 30 days, they have blocked more than 4.6 million attacks on this vulnerability, which were directed at more than 280,000 sites.

The most common sign that a WPGateway plugin site is compromised is the presence of an administrator with the username rangex. You should also look in the logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This would also indicate that the site was attacked, although such records do not necessarily indicate a successful hack.

So far, details about the vulnerability have not been disclosed, since detailed information will only help other attackers start exploiting the bug. Since there is no patch yet, users are advised to uninstall the plugin immediately, and not install it until a fix is ​​available.

Priyanka Sharma
Priyanka Sharma
Myself Priyanka, a talented and experienced writer with a passion for technology, business, and digital marketing. As a writer, I ensure that each piece of content I produce is of the highest quality. I closely work with ONH Team to deliver high-quality content.

Latest Articles