CVE-2022-1609
The School Management < 9.9.7 - Unauthenticated RCE via REST api
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · school-management-propublic PoCs found — 5
githubgithub.com/0xSojalSec/-CVE-2022-1609★ 3githubgithub.com/savior-only/CVE-2022-1609★ 1githubgithub.com/itworksig/cve-2022-1609-exploit★ 1githubgithub.com/0xSojalSec/CVE-2022-1609★ 0cve_referencewpscan.com/vulnerability/e2d546c9-85b6-47a4-b951-781b9ae5d0f2/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →