Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.
Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.
“Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” Wordfence researcher Ram Gall said in an advisory.
WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard.
The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username “rangex.”
Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn’t necessarily imply a successful breach.
Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.
Further details about the vulnerability have been withheld owing to active exploitation and to prevent other actors from taking advantage of the shortcoming. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available.
Source: Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
Google ad extensions are being rebranded as assets
Google just announced that ad extensions will be rebranded to assets in the Google Ads UI. The change will be rolled out over the next couple of weeks.
What this means. Previously, creating and managing assets such as call extensions or sitelinks were done in a separate step of the campaign creation process. Now, when you set up a Search or Performance Max campaign, the extensions (now assets) are created in the same step.
What it looks like. The preview tool in the ads manager will automatically update so you can see the extension assets for your ads. Google will also show recommended assets based on your campaign goals. Assets that are created during this stage of the setup process will be available when you work on other campaigns and ad groups.
The new “Ads & assets” menu. The “Assets” page will have reports for all assets across the account. Headlines and descriptions are in the “Asset” view while the “Association” table shows segments such as images and prices. For easier viewing and performance analysis, you can also filter the reports by asset type.
A new combinations report. With this report, you’ll be able to see how assets such as callouts and sitelinks perform against headlines and descriptions.
Launch ETA. Unified reporting in the “Assets” page will roll out over the coming weeks for all campaign types that previously supported ad extensions and the updated combinations report will roll out in the next few months.
Source: Google ad extensions are being rebranded as assets
BuddyPress Plugin Usage Declining, Remaining Contributors Discuss Path Forward
In the most recent BuddyPress developers’ chat, contributors discussed progress on the upcoming 11.0.0 release, which is expected on December 14, 2022.
Mathieu Viet, one of BuddyPress’ lead developers who spearheaded the effort to get the BP Attachments API into BuddyPress 2.3 in 2015, has been working on templating to display single media items on the front-end. He made it possible to share media using the Activity Block editor when the BP Attachments plugin is active. The BP Attachments Admin UI has been updated to include an “Edit Item” view.
In addition to updates related to the upcoming release, contributors addressed the important topic of BuddyPress‘ declining usage over the past five years. WordPress.org reports active installations at 100,000+, whereas last month they were at 200,000+. The directory rounds that number so it’s not always representative of the number of people using the plugin. After digging further into the numbers, contributors found that installs are hovering at just under 200,000, but growth is steadily declining and contributors are dwindling.
“The trend is really not great,” Viet said. “We are slowly losing users and the red line is even more concerning. We’re doing worse compared to last year.
“My analysis is: we’re not getting enough new users to compensate for users loss.”
BuddyPress’ growth and usage seemed to have peaked around 2016/2017. Participants in the dev chat speculated on the reasons for the decline, which Viet summarized in a writeup of the meeting:
- lack of cool front-end things added to the plugin recently
- hesitancy to install a big plugin like BuddyPress for a single feature
- lack of privacy tools, of a media component
- growth of the use of things like Teams and Slack
- BuddyBoss’ commercial aggression (eg: Google Adwords) or their slick-looking theme
Source: BuddyPress Plugin Usage Declining, Remaining Contributors Discuss Path Forward
Microsoft 365 apps will now update themselves as if by magic
Microsoft has announced an update for its suite of office and productivity software that will help IT departments ensure applications are always up to date.
As explained in a company blog post, a new feature for Microsoft 365 now allows IT administrators to push updates to business laptops and PCs while they are idle or locked down.
If an outdated application is open, the feature will shut it down (when safe to do so), apply the update and restore the instance to its original state. Apparently, this whole process is conducted in roughly four seconds.
Microsoft 365 updates
Throughout the year, Microsoft rolls out hundreds upon hundreds of feature updates and security patches across its office software. The problem for businesses is that employees will rarely go out of their way to install updates manually, while forced update models typically involve a level of disruption.
The goal of the new “update under lock” feature, Microsoft says, is to help customers ensure their deployments are as secure and up to date as possible, without pulling employees out of their work mid-flow.
“Are you or your end-users annoyed with update notifications? Do you struggle to reach compliance?” asked the firm. “Well fear not, because Microsoft has developed an optimization that applies a pending Microsoft 365 apps update while a machine is in idle or locked mode, even if apps are running.”
Source: Microsoft 365 apps will now update themselves as if by magic