Wordfence, one of the most comprehensive WordPress security plugins available today, announced earlier this week that it has blocked more than 4.6 million cyberattacks, which targeted a zero-day vulnerability, in the last 30 days. . The attacks were against more than 2,80,000 sites running the WPGateway plugin, which allows its users to configure and manage WordPress sites from a single dashboard. The company offers incident response services through Wordfence Care for those who believe they have been compromised.
Wordfence published in a blog that on September 8, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability that was being used to attack sites running the WPGateway plugin. He released a firewall rule for Wordfence Premium, Wordfence Care, and Wordfence Response customers to block the exploit on the same day. He also said the same protection for sites that run the free version of Wordfence will be released on October 8.
“Wordfence firewall successfully blocked over 4.6 million attacks targeting this vulnerability against over 280,000 sites in the past 30 days,” he added. The zero-day vulnerability found in “part of plugin functionality” would have made it easier to add a malicious admin user to sites running the WPGateway plugin, which is tied to the WPGateway cloud service, and offers its users a way to configure and manage WordPress sites from a single dashboard.
Note that the vulnerability identifier CVE-2022-3180 for this issue was reserved and the CVSS score (criteria for assigning severity scores to vulnerabilities) was 9.8, suggesting a high vulnerability. Wordfence says that although they are issuing this public service announcement, there are a few details that are withheld in order to prevent further exploitation as “this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it. »
How to know if you are compromised
Those who use the Wordfence plugin can easily determine whether their site has been compromised using this vulnerability or not. If they find a malicious admin with the username of rangexand/or find requests for //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 in the site’s access logs, then it’s a guarantee that they were attacked. However, this does not mean that the site is fully compromised.