The Center for Cyber security Belgium (CCB) is aware of an active campaign targetting WordPress websites using the WPGateway plugin.
The attackers exploit a vulnerability in the WPGateway plugin to create a new administrator account. This allows the attackers to gain full control of website.
Wordfence detected 4,6 million attacks that are trying to exploit the WPGateway vulnerability on 280.000 different websites on september the 14th.
- The CCB advises to remove the WPGateway plugin until a patch is available.
- The CCB recommends to verify that no malicious administrator accounts have been created
- Threat actors have created the following username "rangex."
- (It is advised to check for other uncommon usernames)