Different versions of a WordPress plugin in the name of "School Management Pro" sheltered a secret door that could take full rival control over vulnerable websites. This problem has been discovered in premium versions before 9.9.7, has been earmarked the CVE identifier CVE-2022-1609, and is rated 10 out of 10 for extremity. The secret door, which was there since version 8.9, authorizes "an unauthenticated assailant to execute capricious PHP code on sites with the plugin installed.
'School Management' was developed by an India-based company called Weblizar, and is promoted as a WordPress add-on to run total school operations. It also has more than 340,000 customer bases on its premium and free WordPress themes and plugins.
The WordPress security company found out that it revealed the install on May 4 after it was alerted to the presence of heavily complicated code in the license-checking code of the plugin. But the free version of School Management, which doesn't have the licensing code, is not hit.
As soon as the secret door has since been abolished, the exact origins of the compromise remain fuzzy, with the vendor as they said that they are not sure when or how the code attacked into their software. So as a result of this paid users of the plugin are recommended to update to the latest version (9.9.7) to prevent active ill-treatment attempts.