Researchers found a malicious backdoor in a WordPress plugin popular among schools.

The premium version of the WordPress School Management plugin for WordPress has had a backdoor ever since the release of version 8.9 in 2021. Schools use the plugin to operate and manage their websites. The backdoor found gives hackers complete control of websites using the plugin.

Website security service researchers at Jetpack claimed that the backdoor may have even been present in the earlier versions and must not have caught the eye of others at that time.

An obvious backdoor

Jetpack stated that it found the backdoor after support team members at WordPress.com spotted a bunch of obfuscated code on several websites that were running School Management Pro. After they de-obfuscated the code, it was found that the code that was stashed in the license-checking part of the plugin was purposely left there so other users could have access to the data at any time they pleased.

“The code itself isn’t all that interesting: it’s an obvious backdoor injected into license checking code of the plugin”, Jetpack said. “It allows an attacker to execute arbitrary PHP code on sites with the plugin installed.”

As of now, it’s unclear how many websites use the plugin. Weblizar, the plugin’s distributor, said that roughly 340.000 customers use their plugins and themes. Yet, the obfuscated code was only found in the School Management Pro, and none of its free versions.

Now that the presence of the plugin has become public knowledge, attackers might use this opportunity to attack any website using the vulnerable plugin version. The latest patch resolves the issue. Updating is advised. Attempts to reach Weblizar for more information remain unsuccessful.

Tip: ‘Majority of CMS users concerned with security’