Machine Learning, AI, News, Security

Researchers Discover Backdoor in WordPress Plugin used by Schools

Door in a wall in a black room textured with hexagons leading to a computer code background 3D illustration backdoor concept (Door in a wall in a black room textured with hexagons leading to a computer code background 3D illustration backdoor concept

On Friday, researchers reported that they found a malicious backdoor in a WordPress plugin that gave hackers complete control of websites using the package, with mostly schools as the target market.

According to the researchers, the premium version of School Management, a plugin most schools use for the management and operation of their website has had that backdoor since at least version 8.9. Version 8.9 was released in August 2021.

Jetpack said the backdoor was discovered after members of the WordPress.com support team reported finding heavily obfuscated code on sites that used the School Management Pro. After the de-obfuscation was done, they realized that the code was intentionally stashed in the license-checking part of the plugin to give attacks the ability to control the sites.

‘The code itself isn’t all that interesting: it’s an obvious backdoor injected into the license-checking code of the plugin,’ the Jetpack post said. ‘It allows any attacker to execute arbitrary PHP code on the site with the plugin installed.’

Researchers wrote a proof-of-concept exploit which confirmed that the obfuscated code was actually a backdoor which allowed anyone who was aware of it to execute the code of their choice on any site running the plugin.

Weblizar, the creator of School Management, says that it has ‘340k+’ customers for its free and premium themes and plugins, but the backdoor was only found in School Management Pro. The backdoor wasn’t found in the free version of the plugin, and there’s no reason to believe it is in the other plugins Weblizar publishes.

‘We have tried to get more information from the vendor about when the backdoor was injected, what versions are affected, and how the code ended up in the plugin in the first place,’ the post said. ‘This effort has been unsuccessful, as the vendor says they do not know when or how the code came into their software.’

Anyone using this plugin needs to update immediately.

By Marvellous Iwendi.

Source: arstechnica