Zero-Day Vulnerability in WordPress Plugin

By Autumn Gamble on September 16, 2022

Executive Summary

On September 8, 2022 a threat intelligence team for the company WordFence became aware of a zero-day vulnerability that exists within WordPress [1]. WordPress is a popular open-source software that allows users to create and build their own website. A plugin named WPGateway is actively being exploited to maliciously insert administrator privileges. A firewall has been put in place to block the exploit for paid versions of their software, but will not implement the firewall protection into the free versions until October 8, 2022 [1].

Background

As this is an active vulnerability, exact details of the vulnerability are not being released currently to mitigate further attacks. The WPGateway plugin was designed to allow users to manage their websites from a single dashboard. This includes setting and backing-up sites, managing themes and plugins allowing an attacker to take over the affected sites. “Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” according to WordFence researcher Ram Gall [1][2]. On the day of the discovery, September 8, 2022, WordFence released a firewall rule to block the exploit. However, this firewall rule was only released to paid versions of WordFence Premium, WordFence Care, and WordFence Response [1]. The free versions will receive the firewall rule on October 8, 2022 [1]. The vulnerability has been given a Common Vulnerability Scoring System (CVSS) score of 9.8, which is critical. The vulnerability has also been documented with the Common Vulnerabilities and Exposures(CVE) Identification number being CVE-2022-3180 [1][3][4]. The most common way to determine if you have been compromised is an administrator with the username “rangex” [2].

Impact

The most current copy of the WPGateway plugin has been confirmed to be vulnerable as well as all other versions. Top companies such as Sony, TechCrunch, Disney, and Microsoft use WordPress to run their website as well as many others [5]. In the past 30 days, WordFence has blocked over 4.6 million attacks that were exploiting the WPGateway plugin vulnerability against more than 280,000 sites [1]. 

Conclusion

With this active WPGateway zero-day exploit and no current patch, systems will likely remain vulnerable until the patch is released. The recommended action from WordFence is to remove the WPGateway plugin from installations in WordPress until a fix is available.  

References

[1] R. Gall, “PSA: Zero-day vulnerability in WPGATEWAY actively exploited in the wild,” Wordfence, 13-Sep-2022. [Online]. Available:https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/. [Accessed: 16-Sep-2022].

[2] R. Lakshmanan, “Over 280,000 WordPress sites attacked using WPGateway plugin Zero-day vulnerability,” The Hacker News, 14-Sep-2022. [Online]. Available: https://thehackernews.com/2022/09/over-280000-wordpress-sites-attacked.html.[Accessed: 16-Sep-2022]. 

[3] “CVE-2022-3180,” CVE, 12-Sep-2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3180. [Accessed: 16-Sep-2022]. 

[4] M. Hell, “What is the CVSS score?: An extensive overview,” Debricked, 05-Jul-2022. [Online]. Available: https://debricked.com/blog/what-is-cvss-score/. [Accessed: 16-Sep-2022]. 

[5] “40+ most notable big name brands that are using WordPress,” WPBeginner, 17-Dec-2021. [Online]. Available: https://www.wpbeginner.com/showcase/40-most-notable-big-name-brands-that-are-using-wordpress/. [Accessed: 16-Sep-2022].