Security firm WordFence has warned of an actively exploited vulnerability in a widely-used WordPress plugin that could leave websites totally exposed to hackers.
WPGateway is a paid plugin that gives WordPress users the ability to manage their website from a centralised dashboard. The flaw, designated CVE-2022-3180, allows for threat actors to add their own profile with administrator access to the dashboard, and completely take over a victim’s website.
RELATED RESOURCE
An EDR buyer's guide
How to pick the best endpoint detection and response solution for your business
WordFence, which provides a firewall service for WordPress websites, released a rule to block the exploit for paying customers on its Premium, Care and Response packages ($99, $490 and $950 per year respectively).
However, customers using its free package will not receive protection against attacks until October 8, which could leave small or medium businesses exposed.
For a business, total website takoever could lead to the exfiltration of sensitive financial information or simply lead to the destruction of vital data or even the entire website. Alternatively, threat actors could use the control to launch phishing or malware campaigns through trusted websites, which could cause widespread damage to systems and incur reputational damage upon affected companies.
A similar strategy was recently observed in threat actors targeting Facebook Business or Ad accounts, with the aim of changing payment information on the administrator-side to channel money intended for the company directly to the threat actors.
WordFence claims that its firewall has detected and blocked more than 4.6 million attacks targeting the WPGateway vulnerability, across over 280,000 websites in the past month alone. The operators of WPGateway were informed of the vulnerability on September 8, but it is still believed to be an active threat in the wild.
Administrators of WordPress websites utilising WPGateway have been advised to be on the lookout for the addition of an administrator titled ‘rangex’, which indicates that the website has been breached by threat actors.
Logs indicating that the website has made a request to '//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1' also show that it has been targeted by an exploit, but are not certain indicators that takeover has already happened in the same way as the aforementioned rogue user.
“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” advised Wordfence in a blog post.
WordPress plugins have exposed sites to similar vulnerabilities in the past. Last year, over 90,000 websites were put at risk of total takeover because of a flaw in Brizy Page Builder, a plugin that provides users with a ‘no-code’ website building experience. 2020 saw similar exploits in the Elementor plugin used by hackers to install backdoors into a website’s CMS for total control.
IT Pro has approached WordFence for comment.
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
US data center power demand forecast to hit 106GW by 2035, report warnsNews BloombergNEF research reveals a sharp 36% jump in energy forecasts as "hyperscale" projects reshape the American grid
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
