The WordPress plugin WPGateway has a zero day vulnerability. The vulnerability is numbered CVE-2022-3180. It is a critical issue with potentially serious consequences. All versions of the plugin are at risk, up to and including the current version 3.5. An update with a fix is not yet available.
The plugin allows the owner to install, clone and backup the website. It is a widely installed plugin. An essential part of the plugin was found to be susceptible to attacks.
The vulnerability is actively exploited by criminals. This allows criminals to convert regular accounts into administrator accounts. Without a solution, any WordPress website using this plugin is an easy target. More than a hundred thousand websites have already been affected.
It is not known when the vulnerability will be remedied through a developer update. Until then, it is recommended to not only disable the plugin, but to even remove it altogether.