A previously unknown vulnerability in a popular plugin for WordPress is being actively exploited by hackers. In all, more than 280,000 WordPress content managers are concerned.
Flexible, easy to use and deploy to create and animate a website, WordPress is certainly the most popular content management system in the world. And as always in IT, what is most popular is necessarily targeted by cybercriminals. For at least a month, more than 280,000 sites using WordPress have been vulnerable to a major cyberattack. To hack the service, the hackers were able to unearth a zero-day flaw in a component of WordPress. It is precisely the WPGateway plugin that has been targeted. This component allows site administrators to manage other extensions, themes, backups, for example, from the same dashboard. With this previously unknown vulnerability, attackers can add themselves as an administrator account and take control of the content manager and therefore the sites.
Two symptoms to identify the evil
This flaw was registered under the reference CVE-2022-3180 by the cybersecurity company Wordfence Threat IntelligenceIntelligence. Its experts explained that they were able to block more than 4.6 million attacks based on this vulnerability. They found that over 280,000 sites were targeted in the last 30 days.
To check if WordPress has been compromised, look for the presence of an administrator account with the name of rangex. To go further and find out if the flaw is potentially exploited, it is necessary to look in the logs for the presence of the queryquery “/wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1”. At the moment there is no fix, that’s why it’s better to disable the WPGateway extension in the meantime. This bad news comes as a week ago another fault zero dayzero day had been discovered in a WordPress plugin called BackupBuddy.