CVE-2022-3180
ENISA EUVD: EUVD-2022-42597 ↗
✓ Confirmed 0-Day
Triaged: March 20, 2026
2 articles
Published: 2025-02-11
EPSS Score
Source: FIRST.org · 2026-05-23
23.52%
probability
This CVE has a 23.52% probability
of being exploited in the next 30 days.
0%
Top 96.1th percentile of all CVEs
100%
CVSS v3.1
Source: VulnerabilityLookup (CIRCL)9.8
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
VulnerabilityLookup (CNA)The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.
Affected Products
Jack Hopman
WPGateway
Attack Intelligence
Signal Intelligence
Confidence
85%
EPSS
23.52%
CVSS v3.1
9.8
Mentions
2
Last Seen
Sep 13, 2022
CNA Information
CNA Assigner
Wordfence
CNA Title
WPGateway <= 3.5 - Unauthenticated Privilege Escalation
Analyst Note
CVE-2022-3180 is explicitly identified as a zero-day in WPGateway WordPress plugin with active exploitation in the wild documented by authoritative sources (TheHackerNews, BleepingComputer). Both articles explicitly use 'zero-day' terminology and report active attacks. While specific patch timing details are unavailable, the contemporary reporting in 2022 and explicit zero-day designation in multiple sources support confirmed classification.
Triage Info
Decided atMar 20, 2026
Published DateFeb 11, 2025