VTA-00423 – WPGateway Plugin Zero-Day Vulnerability Affects Multiples WordPress Sites
A zero-day vulnerability in the latest version of the WPGateway WordPress premium plugin is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. The unauthenticated privilege escalation vulnerability known as CVE-20223180 is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, according to WordPress security company Wordfence. The presence of an administrator with the username «rangex» is the most common indicator that a website running the plugin has been compromised.
In addition, requests to «/wp-content/plugins/wpgateway/wpgateway-webservice-new.php? wp new credentials=1» in the access logs indicate that the WordPress site has been targeted using the flaw, but it does not necessarily indicate a successful breach. In the absence of a patch, users are advised to uninstall the plugin from WordPress until the vulnerability is patched and fixed.
Severity:
High
Attack Surfaces:
Content Management System
Tactics:
Initial Access, Privilege Escalation
Techniques:
Exploitation for Privilege Escalation, , Exploit Public-Facing Application
Active Defense Tactics:
Contain, Disrupt
Active Defense Techniques:
Decoy Account, Detonate Malware, Network Diversity, Security Controls
SuperPRO’s Threat Countermeasures Procedures:
1. To remove the plugin until it is fully fixed and patched
2. To enable auto-update on software to ensure that they are up-to-date with the latest security patches.
Contributed by: S1mps0n5
Leave a Reply