cbcvebase.
CVE-2022-1609
published 2024-01-16

CVE-2022-1609: The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
64.32%
99.1th percentile
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Affected

1 ranges
VendorProductVersion rangeFixed in
weblizarschool_management< 9.9.79.9.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/am-member/license
commandblowfish=1&blowf=system('{{cmd}}');
  • Monitor for unauthenticated POST requests to the REST API endpoint /wp-json/am-member/license, which is the backdoor handler registered by the malicious license-checking code in School Management plugin < 9.9.7.
  • Detect POST body parameters 'blowfish' and 'blowf' in requests to /wp-json/am-member/license; the 'blowf' parameter carries arbitrary PHP code for execution (e.g., system() calls).
  • The nuclei template uses the canary string '9061-2202-EVC' (reverse of 'CVE-2022-1609') in the response body to confirm successful RCE; alert on this string appearing in HTTP responses from WordPress sites.
  • The vulnerability is an obfuscated backdoor inside the plugin's license checking code; inspect the School Management plugin files for obfuscated PHP that registers a REST route under 'am-member/license'.
  • ·The nuclei template is marked 'verified: false', meaning the detection logic has not been officially confirmed against a live vulnerable instance; validate before deploying in production.
  • ·The exploit payload uses a PHP system() call passed via the 'blowf' POST parameter; actual in-the-wild payloads may differ — the parameter name and execution function are the stable indicators, not the specific command.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.