An actively exploited zero-day vulnerability in WordPress plugin WPGateway has led to more than 4.6 million attempted attacks in the past month. The currently unpatched flaw is the second significant WordPress vulnerability to be found over the past week.
When exploited, this vulnerability, identified as CVE-2022-3180, is used to add malicious administrator users to sites running the plugin. Administrator privileges allow attackers to effectively achieve a complete site takeover.
WordPress technology was behind 43.2% of active websites in 2021, up from 39.5% at the end of 2020, according to a report from security monitoring platform Patchstack.
WordPress vulnerability: is your site affected?
The exploit has been given a CVSS score of 9.8, indicating high severity. The vulnerability was uncovered late last week by WordPress’s security company WordFence, prompting it to alert all WordPress users.
WordPress has not yet released a patch for the vulnerability, but Wordfence has implemented a ‘firewall rule’ to block the exploit on Wordfence Premium, Wordfence Care and Wordfence Response when it was uncovered on Thursday. Since then the firewall has successfully blocked 4.6m attacks on more than 280,000 websites, Wordfence says. Sites using the free version of WordPress will receive similar protection from 8 October.
According to Wordfence, the most common indicator of compromise for this vulnerability is a malicious administrator with the username ‘rangex’. “If you see this user added to your dashboard, it means your site has been compromised,” the announcement says.
Users with the WPGateway plugin installed have been urged to remove it immediately until a patch is made available and to check for malicious administrator users on the WordPress dashboard.
If the indicators of compromise are uncovered, Wordfence recommends contacting Wordfence Care or Wordfence Response for help.
Other WordPress vulnerabilities
As WordPress’s popularity has grown, so has the number of attempted cyberattacks on its users. Patchstack’s research shows that reported vulnerabilities on the platform were up 150% year-on-year in 2021.
CVE-2022-3180 is not the only WordPress vulnerability spotted in the wild in recent weeks. A flaw in a plugin called BackupBuddy, CVE-2022-3180, comes with a high rating of 7.5, and has been used in almost five million attempted attacks since 26 August, Wordfence says.
BackupBuddy is designed to smooth the process of backing up files and file management, which provides the plugin access to files in various destinations including Google Drive, OneDrive and AWS. “Unfortunately the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server,” a Wordfence statement said.
The vulnerability was patched on 2 September, and users are strongly advised to download the latest version of the software to avoid potential problems.