Researchers have spotted a backdoor in a premium WordPress plugin for school management solutions. The malicious code could allow an attacker to run PHP code even without authentication.
The backdoor
- Multiple plugin versions before 9.9.7 were delivered with the backdoor code added to them.
- The backdoor was injected into the license-checking code of the plugin, allowing an attacker to run PHP code.
- Using the backdoor, attackers can access or tamper with the website’s contents, elevate privileges, and take control of the site.
- This critical security flaw is tracked as CVE-2022-1609 and has received the highest severity score of 10.
Although the latest version is clean, the developer failed to find out the source of the compromise. Further, the backdoor is injected into the license checking; the free version is not impacted.
More information
The backdoor seems to be a case of a nulled plugin, a premium plugin that has been modified or hacked. It is propagated with the help of third-party websites, which most of the time work without a license.
- The plugin was sourced directly from the vendor and the backdoor came with it.
- The vendor was contacted on May 4 and the presence of the injected code was verified in the 9.9.6 version. Further investigation revealed that the backdoor was present since version 8.9.
- The next day, the developer released version 9.9.7, from which the backdoor was removed. They rolled out security updates with a notice to apply them as soon as possible.
Conclusion
If a user wants to use a nulled plugin, experts suggest precautions that include testing a nulled plugin/theme locally or on a staging site before using them on production sites or avoiding it.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/4108_shutterstock_1236577720.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6784_shutterstock_599408072.jpg)
