A critical 0-day vulnerability actively exploited by threat actors has been identified in the WPGateway plugin, which provides cloud service to WordPress users with installation, backup, and cloning capabilities.

The vulnerability, identified by WordFence security researchers and tracked with code CVE-2022-3180, allows an unauthenticated threat actor to add an administrator account to websites running WPGateway. As a result, threat actors with administrator privileges take full control of the site.

Using the vulnerability, more than 4.6 million attack attempts targeting more than 280,000 WordPress sites were detected and successfully blocked in the last month. The WordFence team has reported the vulnerability to WPGateway developers and has published a firewall rule for Wordfence Care/Wordfence Response customers. The most common observed security breach indicator for exploiting the vulnerability is the administrator account created with the “rangex” username. It was observed that the WPGateway plugin, last reviewed on September 9, is still vulnerable to vulnerability.

There is no update yet that fixes the vulnerability. In this context, in order not to be the target of attacks that can be carried out using vulnerabilities, it is recommended to follow the updates to be published regularly and to apply them immediately if they are published, to remove the installed WPGateway plugins until the update is released, and to check whether there are suspicious administrator users in the WordPress control panel.