WordPress plugin vulnerability leaves sites open to total takeover

A silhouette of a hand holding a phone displaying the WordPress logo, with a world map drawn in green code in the background

Security firm WordFence has warned of an actively exploited vulnerability in a widely-used WordPress plugin that could leave websites totally exposed to hackers.

WPGateway is a paid plugin that gives WordPress users the ability to manage their website from a centralised dashboard. The flaw, designated CVE-2022-3180, allows for threat actors to add their own profile with administrator access to the dashboard, and completely take over a victim’s website.


An EDR buyer's guide

How to pick the best endpoint detection and response solution for your business


WordFence, which provides a firewall service for WordPress websites, released a rule to block the exploit for paying customers on its Premium, Care and Response packages ($99, $490 and $950 per year respectively).

However, customers using its free package will not receive protection against attacks until October 8, which could leave small or medium businesses exposed.

For a business, total website takoever could lead to the exfiltration of sensitive financial information or simply lead to the destruction of vital data or even the entire website. Alternatively, threat actors could use the control to launch phishing or malware campaigns through trusted websites, which could cause widespread damage to systems and incur reputational damage upon affected companies.

A similar strategy was recently observed in threat actors targeting Facebook Business or Ad accounts, with the aim of changing payment information on the administrator-side to channel money intended for the company directly to the threat actors.

WordFence claims that its firewall has detected and blocked more than 4.6 million attacks targeting the WPGateway vulnerability, across over 280,000 websites in the past month alone. The operators of WPGateway were informed of the vulnerability on September 8, but it is still believed to be an active threat in the wild.

Administrators of WordPress websites utilising WPGateway have been advised to be on the lookout for the addition of an administrator titled ‘rangex’, which indicates that the website has been breached by threat actors.

Logs indicating that the website has made a request to '//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1' also show that it has been targeted by an exploit, but are not certain indicators that takeover has already happened in the same way as the aforementioned rogue user.

“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” advised Wordfence in a blog post.

WordPress plugins have exposed sites to similar vulnerabilities in the past. Last year, over 90,000 websites were put at risk of total takeover because of a flaw in Brizy Page Builder, a plugin that provides users with a ‘no-code’ website building experience. 2020 saw similar exploits in the Elementor plugin used by hackers to install backdoors into a website’s CMS for total control.

IT Pro has approached WordFence for comment.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.