The Wordfence Threat Intelligence team discovered a zero-day being actively exploited in the premium WPGateway plugin for WordPress. WPGateway is a plugin that provides additional administration tools for WordPress.
The security flaw, assigned CVE-2022-3180, is a privilege escalation vulnerability that allows unauthenticated users to create illegitimate administrator accounts resulting in full control of a WordPress site. The Wordfence firewall reportedly prevented 4.6 million exploitation attempts across 280,000 sites in the last month.
Wordfence has declined to release any information on the details of how the exploitation is performed, only that they have observed it being abused in the wild. In doing so, they hope to prevent further abuse of the vulnerability and allow WordPress users time to update their installations.
To determine if a WordPress site has been compromised through the WPGateway plugin, it is recommended to check for new administrator accounts, especially an account named “rangex.” Users can also check their webserver logs for requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1”, which indicates that the site was targeted, but not necessarily compromised.
There is no patch available for the WPGateway plugin at this time. It is recommended to remove the plugin as soon as possible until a patch is released.