The Wordfence Threat Intelligence team today warned that WordPress sites are being actively targeted by exploits targeting a zero-day vulnerability in the premium WPGateway plugin.

WPG Gateway is a WordPress plugin that allows administrators to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard.

This critical elevation of privilege security flaw (CVE-2022-3180) allows unauthenticated attackers to add a malicious user with administrator privileges to completely take control of sites running the vulnerable WordPress plugin.

“On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability used to add a malicious admin user to sites running the WPGateway plugin,” said Ram Gall, Principal Threat Analyst at Wordfence. said today.

“Wordfence firewall successfully blocked over 4.6 million attacks targeting this vulnerability against over 280,000 sites in the past 30 days.”

Although Wordfence disclosed active exploitation of this security bug in the wild, it did not release additional information regarding these attacks or details regarding the vulnerability.

By withholding this information, Wordfence says it wants to prevent further exploitation. It will also likely allow more WPGateway customers to patch their installations before other attackers develop their own exploits and join the attacks.

How to know if your site has been hacked

If you want to check if your website has been compromised in this ongoing campaign, you should search for a new user with admin permissions with the rangex Username.

Additionally, requests for //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 in the logs will show that your site was targeted by the attack but not necessarily compromised.

“If you have installed the WPGateway plugin, we urge you to remove it immediately until a fix is ​​available and check for malicious admin users in your WordPress dashboard,” Gall warned.

“If you know of a friend or colleague who is using this plugin on their site, we strongly recommend that you forward this notice to them to help protect their sites, as this is a serious vulnerability that is being actively exploited in the wild. .”


Source link