WordPress Plugin Vulnerabilities

The School Management < 9.9.7 - Unauthenticated RCE via REST api

Description

The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Proof of Concept

Affects Plugins

Plugin icon
school-management-pro
Fixed in 9.9.7

References

CVE
CVE-2022-1609

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Jetpack Scan Team + WordPress elevated support team
Submitter
Harald Eilertsen
Submitter website
https://jetpack.com
Verified
Yes
WPVDB ID
e2d546c9-85b6-47a4-b951-781b9ae5d0f2

Timeline

Publicly Published
2022-05-18 (about 3 years ago)
Added
2022-05-18 (about 3 years ago)
Last Updated
2023-02-10 (about 2 years ago)

Other

Published
Title
Published
2025-05-07
Title
Ultimate Member <= 2.10.3 - Admin+ Arbitrary Function Call
Published
2024-04-25
Title
Customify Site Library <= 0.0.9 - Unauthenticated Remote Code Execution
Published
2014-10-12
Title
Work-The-Flow 1.2.1 - Shell Upload
Published
2025-09-26
Title
XStore < 9.6 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-09-26
Title
Contact Form 7 – Dynamic Text Extension <= 5.0.3 - Unauthenticated Arbitrary Shortcode Execution