Cyber Posture

CVE-2022-3180

Critical

Published: 11 February 2025

Published
11 February 2025
Modified
05 June 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2352 96.0th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3180 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Wpgateway Wpgateway. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2022-3180 by requiring timely identification, prioritization, and patching of the flaw in the WPGateway plugin versions up to 3.5.

AC-2 Account Management good match
preventdetect

Prevents and detects unauthorized privilege escalation by enforcing automated and manual processes for account provisioning, modification, review, and disabling of malicious administrator accounts created via the vulnerability.

SI-4 System Monitoring partial match
detect

Enables identification of exploitation of CVE-2022-3180 through real-time monitoring of anomalous activities such as unauthenticated account creations or privilege changes.

NVD Description

The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.

Deeper analysisAI

CVE-2022-3180 is a privilege escalation vulnerability affecting the WPGateway Plugin for WordPress in versions up to and including 3.5. It enables unauthenticated attackers to create arbitrary malicious administrator accounts, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-290.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows attackers to gain full administrative control of the affected WordPress site by registering new administrator accounts, potentially leading to complete site compromise including data theft, modification, or deletion.

Wordfence advisories detail the vulnerability and recommend updating the WPGateway plugin beyond version 3.5 to mitigate the issue, as referenced in their threat intelligence report and public service announcement.

This zero-day vulnerability has been actively exploited in the wild, as noted in Wordfence's September 2022 blog post.

Details

CWE(s)
CWE-290

Affected Products

wpgateway
wpgateway
≤ 3.5

CVEs Like This One

CVE-2025-59707Shared CWE-290
CVE-2026-33661Shared CWE-290
CVE-2026-34457Shared CWE-290
CVE-2025-62235Shared CWE-290
CVE-2025-8853Shared CWE-290
CVE-2026-2800Shared CWE-290
CVE-2018-25316Shared CWE-290
CVE-2026-35622Shared CWE-290
CVE-2025-71056Shared CWE-290
CVE-2025-69203Shared CWE-290

References