On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. They released a firewall rule to Wordfence Premium customers to block the exploit on the same day, September 8, 2022. (Consider upgrading to WordFence Premium: $81/year)
Sites still running the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022. The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.
The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.
The Wordfence team obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time they contacted the plugin vendor with their initial disclosure. Wordfence has reserved vulnerability identifier CVE-2022-3180 for this issue.
As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.