View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 14, 2022

WordPress zero-day vulnerability leads to 4.6 million attempted attacks on websites

The flaw is currently unpatched, but users are being advised to take action to reduce their risk of a breach.

By Claudia Glover

An actively exploited zero-day vulnerability in WordPress plugin WPGateway has led to more than 4.6 million attempted attacks in the past month. The currently unpatched flaw is the second significant WordPress vulnerability to be found over the past week.

Wordpress vulnerability
A WordPress plugin vulnerability is being actively targeted for attack. (Photo by Primakov/Shutterstock)

When exploited, this vulnerability, identified as CVE-2022-3180, is used to add malicious administrator users to sites running the plugin. Administrator privileges allow attackers to effectively achieve a complete site takeover.

WordPress technology was behind 43.2% of active websites in 2021, up from 39.5% at the end of 2020, according to a report from security monitoring platform Patchstack.

WordPress vulnerability: is your site affected?

The exploit has been given a CVSS score of 9.8, indicating high severity. The vulnerability was uncovered late last week by WordPress’s security company WordFence, prompting it to alert all WordPress users.

WordPress has not yet released a patch for the vulnerability, but Wordfence has implemented a ‘firewall rule’ to block the exploit on Wordfence Premium, Wordfence Care and Wordfence Response when it was uncovered on Thursday. Since then the firewall has successfully blocked 4.6m attacks on more than 280,000 websites, Wordfence says. Sites using the free version of WordPress will receive similar protection from 8 October.

According to Wordfence, the most common indicator of compromise for this vulnerability is a malicious administrator with the username ‘rangex’. “If you see this user added to your dashboard, it means your site has been compromised,” the announcement says.

Users with the WPGateway plugin installed have been urged to remove it immediately until a patch is made available and to check for malicious administrator users on the WordPress dashboard. 

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

If the indicators of compromise are uncovered, Wordfence recommends contacting Wordfence Care or Wordfence Response for help.

Other WordPress vulnerabilities

As WordPress’s popularity has grown, so has the number of attempted cyberattacks on its users. Patchstack’s research shows that reported vulnerabilities on the platform were up 150% year-on-year in 2021.

CVE-2022-3180 is not the only WordPress vulnerability spotted in the wild in recent weeks. A flaw in a plugin called BackupBuddy, CVE-2022-3180, comes with a high rating of 7.5, and has been used in almost five million attempted attacks since 26 August, Wordfence says.

BackupBuddy is designed to smooth the process of backing up files and file management, which provides the plugin access to files in various destinations including Google Drive, OneDrive and AWS. “Unfortunately the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server,” a Wordfence statement said.

The vulnerability was patched on 2 September, and users are strongly advised to download the latest version of the software to avoid potential problems.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.