Wordfence Threat Intelligence team has released a security advisory to address a zero-day vulnerability (CVE-2022-3180) in WPGateway plugin, which offers its users a way to setup and manage WordPress sites from a single dashboard. The vulnerability is reportedly being actively exploited.
Successful exploitation of the privilege escalation vulnerability could allow an unauthenticated attacker to add a rogue account with administrator privileges to completely take over sites running the vulnerable WPGateway plugin.
A patch for the vulnerability is currently not available. In the meantime, administrators and users of WordPress sites are strongly advised to remove the WPGateway plugin immediately until a patch is made available and check for suspicious administrator accounts in the Wordpress dashboard.
More information is available here: