A series of ones and zeroes

WPGateway WordPress plugin vulnerability could allow full site takeover

There’s been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out there doing damage with no fix yet available. Sadly, this current exploit is an example of the latter.

WPGateway allows WordPress users to run WordPress sites from one dashboard. Unfortunately, research shows that part of this functionality puts both the site and the site’s users at risk.

Beware of rogue admins

The issue in question allows unauthenticated individuals to add rogue users to the site. Those unauthorised users have full admin privileges, which essentially results in a full site takeover thanks to the plugin.

At this point, the compromiser can do what they want with the hijacked website. They are in full control, which is not a great situation for anybody. The vulnerability is listed on the Common Vulnerabilities and Exposures site as CVE-2022-3180. However, no additional information is forthcoming yet as the page has merely been reserved at this point.

Active exploitation

The issue was first discovered on September 8, and is being actively exploited. There is very little additional information to go on at this point, as the specifics of the vulnerability are being withheld. As a result, people will largely be reliant on the WPGateway team to get a patch put together.

Detecting and avoiding compromise

Options are limited, but for now the main advice from Wordfence is this:

  • Remove the plugin installation until a patch is made available.

  • Check for malicious admin accounts in your WordPress dashboard. The username  “rangex” is a common indicator of compromise.

You can also check site access logs for requests to: //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This indicates an attack attempt was made, but does not mean your site has been compromised. This is why checking for the “rangex” username is so important. Fingers crossed that this issue will receive a speedy patch from the plugin developers.

Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.