View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Security firm WordFence has warned of an actively exploited vulnerability in a widely-used WordPress plugin that could leave websites totally exposed to hackers.
WPGateway is a paid plugin that gives WordPress users the ability to manage their website from a centralised dashboard. The flaw, designated CVE-2022-3180, allows for threat actors to add their own profile with administrator access to the dashboard, and completely take over a victim’s website.
An EDR buyer's guide
How to pick the best endpoint detection and response solution for your business
WordFence, which provides a firewall service for WordPress websites, released a rule to block the exploit for paying customers on its Premium, Care and Response packages ($99, $490 and $950 per year respectively).
However, customers using its free package will not receive protection against attacks until October 8, which could leave small or medium businesses exposed.
For a business, total website takoever could lead to the exfiltration of sensitive financial information or simply lead to the destruction of vital data or even the entire website. Alternatively, threat actors could use the control to launch phishing or malware campaigns through trusted websites, which could cause widespread damage to systems and incur reputational damage upon affected companies.
A similar strategy was recently observed in threat actors targeting Facebook Business or Ad accounts, with the aim of changing payment information on the administrator-side to channel money intended for the company directly to the threat actors.
WordFence claims that its firewall has detected and blocked more than 4.6 million attacks targeting the WPGateway vulnerability, across over 280,000 websites in the past month alone. The operators of WPGateway were informed of the vulnerability on September 8, but it is still believed to be an active threat in the wild.
Administrators of WordPress websites utilising WPGateway have been advised to be on the lookout for the addition of an administrator titled ‘rangex’, which indicates that the website has been breached by threat actors.
Logs indicating that the website has made a request to '//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1' also show that it has been targeted by an exploit, but are not certain indicators that takeover has already happened in the same way as the aforementioned rogue user.
“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” advised Wordfence in a blog post.
WordPress plugins have exposed sites to similar vulnerabilities in the past. Last year, over 90,000 websites were put at risk of total takeover because of a flaw in Brizy Page Builder, a plugin that provides users with a ‘no-code’ website building experience. 2020 saw similar exploits in the Elementor plugin used by hackers to install backdoors into a website’s CMS for total control.
IT Pro has approached WordFence for comment.
Turning user behaviour insights into retention strategies
Dell PowerEdge with AMD
IT applications and infrastructure are the prime catalyst for new revenue creation
Building for success with off-premises private cloud
Leveraging co-location facilities to execute your cloud strategy
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
Red Hat adopts a remote-first policy, with offices turned into "neighbourhoods"
How quantum computing could change cyber security
Uber hacked via basic smishing attack
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885
WordPress plugin vulnerability leaves sites open to total takeover – IT PRO
View all Business