CVE-2022-1609

2024-01-1616:15:09

CWE-94

[email protected]

web.nvd.nist.gov

1807

In Wild

cve-2022-1609

wordpress plugin

backdoor

unauthenticated attack

arbitrary php code

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.166 Low

EPSS

Percentile

96.1%

JSON

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it’s license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Affected configurations

Vulners

NVD

Node

school_management_script_projectschool_management_scriptRange<9.9.7

VendorProductVersionCPE
school_management_script_projectschool_management_script*cpe:2.3:a:school_management_script_project:school_management_script:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
school_management_script_project	school_management_script	*	cpe:2.3:a:school_management_script_project:school_management_script::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "school-management-pro",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "9.9.7"
      }
    ],
    "defaultStatus": "unaffected"
  }
]