Security News > 2022 > May > Researchers Find Backdoor in School Management Plugin for WordPress

Researchers Find Backdoor in School Management Plugin for WordPress
2022-05-20 22:11

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.

The backdoor, which is believed to have existed since version 8.9, enables "An unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen said in a Friday write-up.

School Management, developed by an India-based company called Weblizar, is billed as a Wordpress add-on to "Manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins.

The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of the plugin.

The free version of School Management, which doesn't pack the licensing code, is not impacted.

Customers of the plugin are recommended to update to the latest version to prevent active exploitation attempts.


News URL

https://thehackernews.com/2022/05/researchers-find-backdoor-in-school.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157
Plugin 2 0 13 1 0 14