Wordfence, one of the most full-featured WordPress security plugins available now, announced earlier this week that it has blocked over 4.6 million cyberattacks, which were targeting a zero-day vulnerability, in the past 30 days. The attacks were being carried out against more than 2,80,000 sites running the WPGateway plugin, which allows its users to setup and manage WordPress sites from a single dashboard. The company is offering Incident Response services via Wordfence Care to those who believe they have been compromised.
Wordfence posted in a blog that on September 8, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability that was being used to attack sites running the WPGateway plugin. It released a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response customers to block the exploit on the same day. It also said that the same protection for sites that are running the free version of Wordfence will be released on October 8.
“The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days,” it added. The zero-day vulnerability found in a “part of the plugin functionality” was reportedly facilitating the addition of a malicious administrator user to sites running the WPGateway plugin, which is tied to the WPGateway cloud service, and offers its users a way to setup and manage WordPress sites from a single dashboard.
It is to be noted that the vulnerability identifier CVE-2022-3180 for this issue was reserved and the CVSS Score (yardstick to assign severity scores to vulnerabilities) was 9.8, suggesting a high vulnerability. Wordfence says that although they are releasing this public service announcement, there are some nitty-gritties that are being withheld in order to prevent further exploitation as “this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it.”
How to know if you are compromised
Those who are using the Wordfence plugin can easily determine whether their site has been compromised using this vulnerability or not. If they find a malicious administrator with the username of rangex, and/ or find requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 in site’s access logs, then it is a surety that they’ve been attacked. However, it does not mean that the site is fully compromised.
Disclaimer : OneNewsTech.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us – firstname.lastname@example.org. The content will be deleted within 24 hours.