Multiple versions of a WordPress plugin called “School Management Pro” shelter a backdoor that can give an opponent complete control over vulnerable websites.
The problem, seen in the premium version before 9.9.7, is assigned to the CVE identifier CVE-2022-1609 And rated 10 out of 10 for intensity.
Backdoor, which is believed to have existed since version 8.9, “enables an unauthorized attacker to execute PHP code arbitrarily on sites where the plugin is installed,” Jetpack’s Harold Aylartsen said. Says In Friday’s writing.
Developed by an India based company called School Management Weblizer, Is billed as a WordPress add-on to “manage entire school operations.” It claims over 340,000 subscribers to its premium and free WordPress themes and plugins.
The WordPress security company noted that it unveiled the implant on May 4 after being alerted to the presence of heavy obscure code in the plugin’s license-checking code. The Free version School management, which does not pack licensing codes, is not affected.
Although the back door has been removed, the exact source of the compromise remains unclear, with vendors saying “they do not know when or how the code came into their software.”
Customers of the plugin are advised to update to the latest version (9.9.7) to prevent active exploitation attempts.