Several versions of a WordPress plugin by the name of “School Management Pro” harbored a backdoor that could grant an adversary complete control over vulnerable websites.
The issue, spotted in premium builds prior to 9.9.7, was assigned the CVE identifier CVE-2022-1609 and rated 10 out of 10 for severity.
The backdoor, which is believed to have existed since version 8.9, allows “an unauthenticated attacker to execute arbitrary PHP code on sites where the plugin is installed,” Jetpack’s Harald Eilertsen said in a Friday post.
School Management, developed by an India-based company called Weblizar, is touted as a WordPress add-on to “manage the complete operation of the school”. It also claims over 340,000 customers of its premium and free WordPress themes and plugins.
The WordPress security firm noted that it discovered the implant on May 4 after being alerted to the presence of heavily obfuscated code in the plugin’s license verification code. The free version of School Management, which does not contain the license code, is not affected.
Although the backdoor has since been removed, the exact origins of the compromise remain unclear, with the vendor stating that “it does not know when or how the code entered its software”.
Plugin customers are recommended to update to the latest version (9.9.7) to prevent active exploit attempts.