Recently, a backdoor was found in a WordPress plugin used in school portals.
This is the School Management version, a control center for school portals, whose version 8.9 contained a security flaw that allowed attackers to take complete control of the sites that use this plugin.
Backdoor detected in payment plugin for schools
The report of this vulnerability was notified by researchers from the Jetpack website security service, through a publication on your blog. According to the shared background, although the finding is linked to version 8.9 of the plugin, which dates from August 2021, it is not ruled out that the backdoor has been present since previous versions.
In programming environments, source code that is created to be complex, to make it difficult for other developers or security officers to analyze, is called “obfuscated code”. This was exactly what the Jetpack team found, after receiving reports from various sites that, as a common element, used School Management Pro.
After deobfuscating the code in question, the researchers realized that there was intentionally hidden a piece of code that allows outsiders to take control of affected sites.
“The code itself isn’t that interesting – it’s an obvious backdoor injected into the plugin’s license verification code,” notes the Jetpack post. “Allows any attacker to execute arbitrary PHP code on the site with the plugin installed”. Given the location of this vulnerability, it did not affect the free version of the plugin.
This is not a very sophisticated or novel intervention. In fact, it is quite common on sites that use pirated themes or plugins. However, its implications are serious, as anyone with the relevant knowledge could execute any code from somewhere with this backdoor open.
From Jetpack they pointed out that they have tried to obtain more details about this case from the same plugin provider, Weblizar. Although they tried to find out when the aforementioned backdoor was injected, which versions are affected and how the code ended up in the plugin in the first place, these attempts were unsuccessful, as the vendor claims that it does not know when or how the code entered its software. .
In the absence of better communication between Jetpack and Weblizar, the source of this vulnerability has not been traced. However, the removal of this code is already guaranteed since version 9.9.7, so it is recommended to update any previous edition.
Although the code of this plugin has already been cleaned, there is irreversible damage already done. Any website that has the plugin installed could be affected. Even after removing the backdoor, it is recommended to perform a thorough security scan on the site, to detect if it has been compromised in any other way.
