Over 280,000 WordPress sites may have been flooded with a zero-day shambling in the popular plugin

Over 280,000 WordPress sites may have been flooded with a zero-day shambling in the popular plugin ...

Researchers claim that a zero-day vulnerability found in a premium WordPress plugin is being actively exploited in the wild, urging users to remove it from their websites until a patch is discovered.

WordFence, a premium WordPress security plugin, discovered a flaw in WPGateway, which helps administrators manage other WordPress plugins and themes from a single dashboard.

According to the researchers, the flaw is identified as CVE-2022-3180 and has a severity rating of 9.8. It permits threat actors to create an admin user on the platform, meaning they may have the capability to take over the entire website if they feel the need.

Millions of attacks

"A portion of the plugin functionality exposes a vulnerability that permits unauthenticated attackers to insert a malicious administrator," according to a Wordfence researcher.

In the last month, Wordfence blocked more than 4.6 million attacks on over 280,000 sites. That also means that the number of targeted (and potentially compromised) websites is probably significantly greater.

Researchers said a patch for the flaw isn''t yet available, and there is no workaround. For the time being, the only way to stay safe is to remove the plugin altogether and wait until the patch arrives, according to the researchers.

Webmasters looking for compromise credentials such as rangex should look for requests to "//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1" in the access logs, as this is a sign of an attempted breach. This indicates however that it was successful.

Given the fact that the flaw is being aggressively exploited, and that the fix is still missing, other details are scarce for the moment.

WordPress (opens in a new tab) is the world''s most popular website builder, and is constantly under attack by cybercriminals. While the platform itself is generally considered safe, its plugins, of which there are tens of thousands, are often the weak link that leads to compromise.