WPGateway Plugin Zero-Day Vulnerability Affects Multiples WordPress Sites

VTA-00423 – WPGateway Plugin Zero-Day Vulnerability Affects Multiples WordPress Sites

A zero-day vulnerability in the latest version of the WPGateway WordPress premium plugin is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. The unauthenticated privilege escalation vulnerability known as CVE-20223180 is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, according to WordPress security company Wordfence. The presence of an administrator with the username «rangex» is the most common indicator that a website running the plugin has been compromised.

In addition, requests to «/wp-content/plugins/wpgateway/wpgateway-webservice-new.php? wp new credentials=1» in the access logs indicate that the WordPress site has been targeted using the flaw, but it does not necessarily indicate a successful breach. In the absence of a patch, users are advised to uninstall the plugin from WordPress until the vulnerability is patched and fixed.


Attack Surfaces:
Content Management System

Initial Access, Privilege Escalation

Exploitation for Privilege Escalation, , Exploit Public-Facing Application

Active Defense Tactics:
Contain, Disrupt

Active Defense Techniques:
Decoy Account, Detonate Malware, Network Diversity, Security Controls

SuperPRO’s Threat Countermeasures Procedures: 
1. To remove the plugin until it is fully fixed and patched
2. To enable auto-update on software to ensure that they are up-to-date with the latest security patches.

Contributed by:  S1mps0n5

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>