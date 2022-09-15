Hundreds of thousands of websites are suffering from cyberattacks in recent days thanks to an exploit that allows a ‘zero day’ vulnerability to be exploited, as detected by the ‘threat intelligence’ team of the company Wordfence, a provider of cybersecurity solutions for websites based on WordPress, the most used CMS or web content manager on the Internet (with more than 30 million active sites).

Last September 8, 2022discovered that several of the intrusion attempts stopped by their WordPress site firewall were seeking to exploit a vulnerability that affected a premium plugin of said CMS, WPGatewaywhich allows administrators to simplify some site management tasks by centralizing theme, plugin, and backup management in a single panel.

Specifically, their firewall had slowed 4.6 million intrusion attempts on approximately 280,000 websites only within the previous 30 days.

The vulnerability in question allows attackers, despite lacking access data, add a malicious user with admin privileges to the website, allowing them to take full control of the website. said administrator is always called ‘rangex’so if you have WPGateway installed, you should make sure you don’t have a recently added user with that name.

If the web logs show accesses to ‘/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1’, it means that the web has been attacked, but not necessarily that it is compromised

How to solve it?

But the problem does not disappear just by deleting the aforementioned malicious user, since it can be created again using the same technique. Ram Gall, an analyst at Wordfence, urges us, directly, to remove the plugin “until a patch is available”which we still do not know when it will happen.

Wordfence, for its part, has announced that since the 8th it has incorporated a firewall rule into its premium products that blocks said exploit (if you are a user of their free products, you will have to wait until October 8 to access this update).

Also, the company has withheld details about how the exploit works to give plugin developers time to develop their product before other cybercriminals develop their own alternatives and join the attacks.

