The plugin’s name is “School Management,” and it was released by Weblizar in several versions before 9.9.7 with the backdoor baked into its code.
Despite the fact that the most recent version is clean, the developer was unable to pinpoint the source of the breach.
Schools may use the plugin to handle live classrooms, send email or SMS notifications, keep attendance boards and manage noticeboards, receive payments and issue invoices, administer examinations, set up online lending libraries, and even manage transportation vehicle fleets.
A backdoor in many versions of the WordPress plugin “School Management Pro” might provide an attacker total control over affected websites.
The CVE identification CVE-2022-1609 has been issued to the vulnerability, which was discovered in premium versions prior to 9.9.7 and is rated 10 out of 10 for severity.
According to Jetpack’s Harald Eilertsen, the backdoor, which has been there since version 8.9, allows “an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed.”
To avoid active exploitation attempts, customers of the plugin should update to the current version (9.9.7).
Source: Bleeping Computer
The post Backdoor Discovered in WordPress School Management Plugin appeared first on B6G.NET| for all information technology.