CVE-2022-1609
published 2024-01-16CVE-2022-1609: The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
64.32%
99.1th percentile
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| weblizar | school_management | < 9.9.7 | 9.9.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the REST API endpoint /wp-json/am-member/license, which is the backdoor handler registered by the malicious license-checking code in School Management plugin < 9.9.7. ↗
- →Detect POST body parameters 'blowfish' and 'blowf' in requests to /wp-json/am-member/license; the 'blowf' parameter carries arbitrary PHP code for execution (e.g., system() calls). ↗
- →The nuclei template uses the canary string '9061-2202-EVC' (reverse of 'CVE-2022-1609') in the response body to confirm successful RCE; alert on this string appearing in HTTP responses from WordPress sites. ↗
- →The vulnerability is an obfuscated backdoor inside the plugin's license checking code; inspect the School Management plugin files for obfuscated PHP that registers a REST route under 'am-member/license'. ↗
- ·The nuclei template is marked 'verified: false', meaning the detection logic has not been officially confirmed against a live vulnerable instance; validate before deploying in production. ↗
- ·The exploit payload uses a PHP system() call passed via the 'blowf' POST parameter; actual in-the-wild payloads may differ — the parameter name and execution function are the stable indicators, not the specific command. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4g99-5gw9-42hv: The School Management WordPress plugin before 9
ghsa_unreviewed·2024-01-16
CVE-2022-1609 [CRITICAL] CWE-94 GHSA-4g99-5gw9-42hv: The School Management WordPress plugin before 9
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
VulnCheck
weblizar school_management Improper Control of Generation of Code ('Code Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-1609 [CRITICAL] weblizar school_management Improper Control of Generation of Code ('Code Injection')
weblizar school_management Improper Control of Generation of Code ('Code Injection')
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
Affected: weblizar school_management
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/school-management-pro/wordpress-school-management-pro-premium-plugin-9-9-7-unauthenticated-remote-code-execution-rce-via-rest-api
Exploit PoC: https://vulncheck.com/xdb/c32c76ba709f; https://vulncheck.com/xdb
No detection rules found.
Nuclei
The School Management < 9.9.7 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-1609 [CRITICAL] The School Management < 9.9.7 - Remote Code Execution
The School Management < 9.9.7 - Remote Code Execution
The School Management plugin before version 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
Template:
id: CVE-2022-1609
info:
name: The School Management < 9.9.7 - Remote Code Execution
author: For3stCo1d
severity: critical
description: The School Management plugin before version 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected sys
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked
bugzilla·2023-08-11·CVSS 9.8
CVE-2023-40267 [CRITICAL] CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
References:
https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd
https://github.com/gitpython-developers/GitPython/pull/1609
Discussion:
Created GitPython tracking bugs for this issue:
Affects: epel-all [bug 2231476]
Affects: fedora-all [bug 2231475]
Affects: openstack-rdo [bug 2231477]
---
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2023:4971 https://access.redh
2024-01-16
Published
Exploited in the wild