CVE-2022-3180

Name of the Vulnerable Software and Affected Versions WPGateway Plugin for WordPress versions up to, and including, 3.5

Description The WPGateway Plugin for WordPress is vulnerable to privilege escalation. This allows unauthenticated attackers to create arbitrary malicious administrator accounts. Over 280,000 sites have been targeted in the last 30 days, with more than 4.6 million attacks blocked by the Wordfence firewall. The issue enables an attacker to add a user with administrator privileges and completely take over resources running the vulnerable WordPress plugin. Indicators of compromise (IoC) have been shared to help administrators identify if their site has been compromised, including checking for malicious administrator users, such as one with the username rangex, and looking for specific requests in site access logs, like '//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp new credentials=1'.

Recommendations For WPGateway Plugin for WordPress versions up to, and including, 3.5: As a temporary workaround, consider removing the WPGateway plugin until a patch is available. Restrict access to the wpgateway-webservice-new.php endpoint to minimize the risk of exploitation. Check for and remove any malicious administrator users, such as one with the username rangex. Monitor site access logs for requests like '//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp new credentials=1' to identify potential attacks.