Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin
>
A zero-day vulnerability found in a premium WordPress plugin is being actively exploited in the wild, researchers say, urging users to remove it from their websites until a patch is released.
WordPress security plugin (opens in new tab) Creators WordFence discovered a flaw in WPGateway, a premium plugin that helps administrators manage other WordPress plugins and themes from a single dashboard.
According to the researchers, the error is tracked as CVE-2022-3180 and is given the severity score of 9.8. It allows threat actors to create an admin user on the platform, meaning they have the option to take over the entire website if they want to.
Millions of attacks
“Some of the plugin’s functionality exposes a vulnerability that could allow unauthenticated attackers to insert a malicious administrator,” said Ram Gall, Wordfence researcher.
Wordfence added that it has blocked more than 4.6 million attacks against more than 280,000 sites in the past month alone. That also means that the number of attacked (and potentially compromised) websites is likely to be much, much greater.
A patch for the flaw is not yet available, the researchers said, and there is no fix. The only way to stay safe for now is to remove the plugin from the website altogether and wait for the patch to arrive, researchers emphasized.
Webmasters looking for indicators of compromise should check their sites for administrator accounts called ‘rangex’. They should also look for requests for “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs, as that is a sign of an attempted breach. However, this sign does not necessarily mean that it was successful.
Other details are currently scarce, given that the bug is actively being exploited and the fix is not yet available.
WordPress (opens in new tab) is the world’s most popular website builder and as such is under constant attack by cyber criminals. While the platform itself is generally considered secure, the plugins, of which there are hundreds of thousands, are often the weak link that leads to compromises.
Through: The Hacker News (opens in new tab)