WordPress Plugin Vulnerabilities

WPGateway <= 3.5 - Unauthenticated Privilege Escalation

Description

The plugin allows unauthenticated attackers to create a malicious administrator

Affects Plugins

Plugin icon
wpgateway
No known fix

References

CVE
CVE-2022-3180
URL
https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Verified
No
WPVDB ID
978cccf0-d3ae-4f74-8f3e-11a5ba263350

Timeline

Publicly Published
2022-09-13 (about 3 years ago)
Added
2022-09-14 (about 3 years ago)
Last Updated
2022-10-11 (about 3 years ago)

Other

Published
Title
Published
2024-02-17
Title
Login as User or Customer <= 3.8 - Admin Account Takeover
Published
2026-01-20
Title
Directorist Social Login <= 2.1.1 - Unauthenticated Privilege Escalation
Published
2024-09-17
Title
Houzez < 3.3.0 - Subscriber+ Privilege Escalation
Published
2024-05-09
Title
Spectra Pro < 1.1.6 - Authenticated (Author+) Privilege Escalation
Published
2025-10-14
Title
Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme < 1.5.0 - Unauthenticated Privilege Escalation to Editor