Shocking cyberattack! 280,000 WordPress sites attacked by hackers


WordPress sites were attacked by zero-day vulnerability CVE-2022-3180. More than 280,000 are exploited.

Premium WordPress plugin WPGateway reported an actively exploited zero-day flaw in the wild. Dubbed CVE-2022-3180 (CVSS score: 9.8), it allows malicious actors to completely take control of victim sites. The bug is used to add a malicious admin user to sites running the WPGateway plugin, Wordfence said. “Part of the plugin’s functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” noted Wordfence researcher Ram Gall. Surprisingly, no less than 280,000 such sites were attacked.

Compromised WPGateway connection? Here’s how to find out

WPGateway is used to install, backup and clone WordPress plugins and themes from a unified dashboard. The admin running the compromised plugin comes with the username “rangex”. Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” is also a sign that the WordPress site has been compromised using the flaw.

According to Wordfence, the bug has been used to lead more than 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days. WPGateway operators became aware of the vulnerability on September 8, but it is still an active threat in nature.

Admins of WordPress websites using WPGateway are advised to search for an admin addon titled “rangex”. Since the vulnerability has not yet been fixed, users are advised to remove the plugin from their WordPress installations until a fix is ​​deployed. “If you have the WPGateway plugin installed, we urge you to remove it immediately until a fix is ​​available and check for malicious admin users in your WordPress dashboard,” Wordfence shared in a blog post.

This is not the first time that WordPress sites have been exposed to vulnerabilities. Last year, over 90,000 websites were reportedly taken over due to a flaw in Brizy Page Builder that gives users a “no-code” website building experience.


Comments are closed.