Multiple WordPress plugins referred to as “School Management Pro”, contained a backdoor which could allow an adversary total control of vulnerable websites.
The issue, spotted in premium versions before 9.9. 7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.
The backdoor, which is believed to have existed since version 8. 9, enables “an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed,” Jetpack’s Harald Eilertsen said in a Friday write-up.
School Management, developed by an India-based company called Weblizar, is billed as a WordPress add-on to “manage complete school operation.” It also claims more than 340,000 customers of its premium and free WordPress themes and plugins.
The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of the plugin. It isn’t affecting the free version School Management which does not include the licensing code.
Although the backdoor was removed in the end, it is not clear where the compromise originated. The vendor stated that they do not know how or when the code got into their software. “
Customers of the plugin are recommended to update to the latest version (9.9. 7) to prevent active exploitation attempts.