CVE-2022-3180

Critical

Published: 11 February 2025

Published

11 February 2025

Modified

05 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2352 96.0th percentile

Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Description

The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.

Security Summary

CVE-2022-3180 is a privilege escalation vulnerability affecting the WPGateway Plugin for WordPress in versions up to and including 3.5. It enables unauthenticated attackers to create arbitrary malicious administrator accounts, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-290.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows attackers to gain full administrative control of the affected WordPress site by registering new administrator accounts, potentially leading to complete site compromise including data theft, modification, or deletion.

Wordfence advisories detail the vulnerability and recommend updating the WPGateway plugin beyond version 3.5 to mitigate the issue, as referenced in their threat intelligence report and public service announcement.

This zero-day vulnerability has been actively exploited in the wild, as noted in Wordfence's September 2022 blog post.

Details

CWE(s): CWE-290

Affected Products

wpgateway

≤ 3.5

References

https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/
Third Party Advisory · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpgateway/wpgateway-35-unauthenticated-privilege-escalation
Third Party Advisory · security@wordfence.com