CVE-2022-3180

CRITICAL EXPLOITED IN THE WILD

wpgateway <= 3.5 - Unauthenticated Privilege Escalation via Administrator Account Creation

Title source: llm

Exploitation Summary

CVE-2022-3180 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.

References (2)

Core 2

Core References

Third Party Advisory

https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpgateway/wpgateway-35-unauthenticated-privilege-escalation

Scores

CVSS v3 9.8

EPSS 0.0884

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2022-09-13

InTheWild.io 2022-09-08

CWE

CWE-290

Status published

Products (1)

wpgateway/wpgateway < 3.5

Published Feb 11, 2025

Tracked Since Feb 18, 2026