Security firm WordFence has warned of an actively exploited vulnerability in a widely-used WordPress plugin that could leave websites totally exposed to hackers.
WPGateway is a paid plugin
that gives WordPress users the ability to manage their website from a
centralised dashboard. The flaw, designated CVE-2022-3180,
allows for threat actors to add their own profile with administrator
access to the dashboard, and completely take over a victim’s website.
 |
| Image: WordPress |
WordFence, which provides a firewall service for WordPress websites, released a rule to block the exploit for paying customers on its Premium, Care and Response packages ($99, $490 and $950 per year respectively).
However, customers using its free package will not receive protection against attacks until October 8, which could leave small or medium businesses exposed.
For a business, total website takoever could lead to the exfiltration of sensitive financial information or simply lead to the destruction of vital data or even the entire website. Alternatively, threat actors could use the control to launch phishing or malware campaigns through trusted websites, which could cause widespread damage to systems and incur reputational damage upon affected companies.
