The Wordfence Threat Intelligence team warned today that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin.
WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard.
This critical privilege escalation security flaw (CVE-2022-3180) enables unauthenticated attackers to add a rogue user with admin privileges to completely take over sites running the vulnerable WordPress plugin.
“On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin,” Wordfence senior threat analyst Ram Gall said today.
“The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.”
While Wordfence disclosed active exploitation of this security bug in the wild, it didn’t release additional information regarding these attacks and details regarding the vulnerability.
By withholding this info, Wordfence says that it wants to prevent further exploitation. This will also likely allow more WPGateway customers to patch their installations before other attackers develop their own exploits and join the attacks.
How to find if your site was hacked
If you want to check if your website was compromised in this ongoing campaign, you have to check for a new user with administrator permissions with the rangex username.
Additionally, requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 in the logs will show that your site was targeted in the attack but wasn’t necessarily compromised.
“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” Gall warned.
“If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild.”