WordPress plugin vulnerability leaves sites open to full takeover

Security firm WordFence has warned of an actively exploited vulnerability in a widely used WordPress plugin that could leave websites totally exposed to hackers.

WPGateway is a paid plugin that gives WordPress users the ability to manage their website from a centralized dashboard. The flaw, designated CVE-2022-3180allows hackers to add their own profile with admin access to the dashboard and completely take control of a victim’s website.

Related Resource

An EDR Buyer’s Guide

How to choose the best endpoint detection and response solution for your business

Free download

WordFence, which provides a firewall service for WordPress websites, released a rule to block the exploit for paying customers on its Premium, Care, and Response plans ($99, $490, and $950 per year respectively).

However, customers using its free plan will not receive attack protection until October 8, which could leave small or medium enterprises exposed.

For a business, total website takeover could result in the exfiltration of sensitive financial information or simply lead to the destruction of vital data or even the entire website. Alternatively, threat actors could use the control to launch phishing or malware campaigns through trusted websites, which could cause widespread damage to systems and damage the reputation of affected companies.

A similar strategy has recently been seen among threat actors targeting Facebook Business or Ad accounts, in an effort to alter payment information on the admin side to funnel money intended for the business directly to the threat actors.

WordFence says its firewall detected and blocked more than 4.6 million attacks targeting the WPGateway vulnerability, on more than 280,000 websites in the last month alone. WPGateway operators were notified of the vulnerability on September 8, but it is still believed to be an active threat in the wild.

Admins of WordPress websites using WPGateway have been advised to be on the lookout for an admin addition titled “rangex”, which indicates that the website has been hacked by malicious actors.

Logs indicating that the website has made a request for ‘//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1’ also show that he was targeted by an exploit, but are not certain indicators that the takeover has ever happened in the same way as the aforementioned dishonest user.

“If you have installed the WPGateway plugin, we urge you to remove it immediately until a fix is ​​available and check for malicious admin users in your WordPress dashboard,” Wordfence advised in a post. blog post.

WordPress plugins have exposed sites to similar vulnerabilities in the past. Last year, more than 90,000 websites were threatened with full takeover due to a flaw in Brizy Page Builder, a plugin that offers users a “no-code” website building experience. 2020 saw similar exploits in the Elementor plugin used by hackers to install backdoors into a website’s CMS for full control.

IT professional approached WordFence for comment.

Featured Resources

IT infrastructure adapted to the needs of digitally driven organizations

Your engine of innovation: Supporting organizations in the change of the new digital economy

Free download

Future-proof data infrastructure with more performance, scalability and resiliency

Dell Power Store

Free download

Organizations that accelerate their digital workplace realize improvements

See the best device ROI

Free download

The Data Center and Trusted Storage Infrastructure

Invest in infrastructure upgrades to deliver better results

Free download