Zero-Day In WordPress Plugin Exploited To Create Admin Accounts

A zero-day exploit in this plugin allowed attackers to inject XSS payloads, which could then be triggered in the dashboard of a logged-in administrator. Attackers used the XSS payloads to create rogue admin accounts.

Zero-Day in WordPress Plugin Exploited to Create Admin Accounts

A zero-day vulnerability in the ThemeREX Addons, a WordPress plugin installed on thousands of sites, is actively exploited by attackers to create user accounts with admin permissions and potentially fully taking over the vulnerable website.

"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts," Wordfence threat analyst Chloe Chamberland explains.

On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin. We released a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response customers to block the exploit on the same day, September 8, 2022.

As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.

Given the threat, Wordfence has refrained from sharing technical details about the vulnerability. Nonetheless, they confirmed that the flaw CVE-2022-3180 is a critical-severity vulnerability that allows an attacker to gain elevated privileges on the target website. It even allows an unauthenticated adversary to create malicious admin accounts.

In November, it was discovered that the popular AMP for WP plugin had a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website. And in January, researchers straight up urged WordPress site owners to delete a compromised plugin after multiple zero-day vulnerabilities were discovered being exploited by a malicious actor.

A WordPress vulnerability is a weakness or flaw in a theme, plugin, or WordPress core that can be exploited by a hacker. In other words, WordPress vulnerabilities create a point of entry that a hacker can use to pull off malicious activity.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In our December 2020 Vulnerability Roundup we reported on a vulnerability in the Easy WP SMTP plugin. The zero-day (we will cover zero-day vulnerabilities in the next section) vulnerability allowed an attacker to take control of an Administrator account and was being exploited in the wild.

"If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors," Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. "Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."

The hackers were exploiting the 0-day WordPress plugin vulnerability (CVE-2021-24370) to bypass authentication and allow unauthenticated users to log in to an account by entering the related username. It also allows users to create accounts using arbitrary roles, such as admin. These problems can occur even if the login widget is not active and the registration is disabled.

In a recently detected campaign, a hacker group has been resetting administrator passwords on WordPress sites by exploiting a critical zero-day vulnerability in Easy WP SMTP, a plugin with over 500,000 active installations. The flaw was corrected this Monday.

The developers fixed this flaw by simply moving the plugin debug log to the WordPress logs folder to ensure its protection. This is the second time a zero-day vulnerability has been detected in this plugin; in March 2019, a group of researchers discovered that unidentified threat actors were exploiting a flaw in Easy WP SMTP to enable user registration and create administrator accounts as a backdoor.

Plugin vulnerabilities are nothing new for WordPress. Just days before WordFence announced the WPGateway exploit, another WordPress plugin, known as BackupBuddy, was also exploited via a zero-day flaw. The biggest concern within this security threat was the theft of sensitive data from affected websites.

Due to privilege escalation vulnerabilities in plugins, it is sometimes possible for hackers to create ghost or fake admin users to your site. Once the hacker becomes an administrator, they get full access to your website and add backdoors and redirection code on your site.

Some malware creates rogue favicon.ico or random .ico files on your server which contain malicious PHP code inside them. This malicious PHP code is known to perform dangerous actions on websites such as URL injection, creation of administrator accounts, installing spyware/trojans, creating phishing pages, etc.

More than 280,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the WPGateway plugin, the Wordfence team at WordPress security company Defiant warns.if(typeof ez_ad_units!='undefined')ez_ad_units.push([[300,250],'securityonline_info-medrectangle-3','ezslot_3',115,'0','0']);__ez_fad_position('div-gpt-ad-securityonline_info-medrectangle-3-0');The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to set up and manages WordPress sites from a single dashboard.if(typeof ez_ad_units!='undefined')ez_ad_units.push([[300,250],'securityonline_info-medrectangle-4','ezslot_6',121,'0','0']);__ez_fad_position('div-gpt-ad-securityonline_info-medrectangle-4-0');This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in WPGateway. Tracked as CVE-2022-3180 and featuring a CVSS score of 9.8, the security bug allows unauthenticated attackers to add a malicious user with admin privileges to completely take over sites.

I just found out that I was hacked with this since June. they added several php scripts that would send spam. Luckily I have rate limiter so many emails failed already and clogged my root partition which what alerted me to the problem. They used it only recently. I suspect they also added an admin account. I found one. but Not sure if it is from an old hack. but possible from this one since they can add any php code. they could also modify database to add admin account. I guess a security plugin is a must for wordpress.

Another flaw was found to be actively exploited in a WordPress plugin. It is a zero-day vulnerability (CVE-2022-3180) that is utilized to add a malicious administrator user to WordPress sites using the WPGateway plugin, which was discovered by the Wordfence Threat Intelligence team.

The WordPress vulnerability manifests when an administrator, or editor, uploads an image with the ImageDescription EXIF data tag set to a JavaScript payload. The exploit works only for the user accounts as more strict filtering is put on the other accounts. This has sparked some controversy about this vulnerability, however, as I will prove in this article, we will create an attack that is fully stealthy, allowing the attack to take place without an administrator knowing what is going on. 350c69d7ab