A mysterious backdoor has been discovered in a WordPress plugin for schools


Many versions of the School Management Pro WordPress plugin have a built-in backdoor, potentially providing attackers with full control over the affected sites.

The problem affects premium versions of the plugin from 8.9 to 9.9.7. The vulnerability received the identifier CVE-2022-1609 and 10 points out of 10 on the hazard assessment scale.

As Jetpack specialist Harald Eilertsen explained, “an unauthorized attacker can execute arbitrary PHP code on a website with a plugin installed.”

Developed by the Indian company Weblizar, the School Management plugin is positioned as an addon for WordPress, designed to “manage the entire work of the school.” The number of users of free and premium Weblizar plugins is about 340 thousand.

Jetpack specialists discovered the implant on May 4, 2022 after they became aware of the presence of highly obfuscated code in the plugin code checking the license. The free version of School Management is not vulnerable because there is no code to verify the license.

It is unclear how the backdoor was introduced into the plugin, but it has now been removed. According to the vendor, he does not know when and how the code got into their product.

In order to protect themselves from possible cyber attacks through the built-in backdoor, School Management users are advised to update their plugins to version 9.9.7.

Start a discussion …