Security News > 2022 > May > Backdoor baked into premium school management plugin for WordPress
Security researchers have discovered a backdoor in a premium WordPress plugin designed as a complete management solution for schools.
The name of the plugin is "School Management," published by Weblizar, and multiple versions before 9.9.7 were delivered with the backdoor baked into its code.
Because the backdoor is injected in the license checking part of the plugin, the free version that doesn't have one doesn't contain the backdoor either, so it's not impacted.
Jetpack assumed that the presence of the backdoor was a case of a nulled plugin - a premium plugin that has been hacked or modified, distributed through third-party websites, that often work without a license.
After discussing with the site owners, the analysts learned that the plugin was sourced directly from the vendor, so the backdoor came "Out of the box."
The developer released version version 9.9.7 the next day, which has the backdoor removed.