CVE-2022-3180

WPGateway <= 3.5 - Unauthenticated Privilege Escalation

Basic Information

CVE State: PUBLISHED
Reserved Date: September 12, 2022
Published Date: February 11, 2025
Last Updated: March 14, 2025
Vendor: Jack Hopman
Product: WPGateway
Description: The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 27.79% (Percentile: 96.15%) as of 2025-05-12

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2022-09-13 08:50:53 UTC) Source

References

https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpgateway/wpgateway-35-unauthenticated-privilege-escalation

Known Exploited Vulnerability Information

Source	Added Date
Wordfence	2022-09-13 08:50:53 UTC

Timeline

CVE ID Reserved

September 12, 2022
Added to KEVIntel

September 13, 2022
CVE Published to Public

February 11, 2025