Researchers Find Backdoor in School Management Plugin for WordPress

Multiple versions of a WordPress plugin by the name of “School
Management Pro” harbored a backdoor that could grant an adversary
complete control over vulnerable websites.

The issue, spotted in premium versions before 9.9.7, has been
assigned the CVE identifier CVE-2022-1609^[1]
and is rated 10 out of 10 for severity.

The backdoor, which is believed to have existed since version
8.9, enables “an unauthenticated attacker to execute arbitrary PHP
code on sites with the plugin installed,” Jetpack’s Harald
Eilertsen said^[2]
in a Friday write-up.

School Management, developed by an India-based company called
Weblizar^[3], is billed as a
Wordpress add-on to “manage complete school operation.” It also
claims more than 340,000 customers of its premium and free
WordPress themes and plugins.

The WordPress security company noted that it uncovered the
implant on May 4 after it was alerted to the presence of heavily
obfuscated code in the license-checking code of the plugin. The
free version^[4]
of School Management, which doesn’t pack the licensing code, is not
impacted.

While the backdoor has since been removed, the exact origins of
the compromise remains unclear, with the vendor stating that “they
do not know when or how the code came into their software.”

Customers of the plugin are recommended to update to the latest
version (9.9.7) to prevent active exploitation attempts.