cve/2022/CVE-2022-1609.md

### [CVE-2022-1609](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1609)
![](https://img.shields.io/static/v1?label=Product&message=school-management-pro&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%3C%209.9.7%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%20Improper%20Control%20of%20Generation%20of%20Code%20('Code%20Injection')&color=brighgreen)

### Description

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

### POC

#### Reference
- https://wpscan.com/vulnerability/e2d546c9-85b6-47a4-b951-781b9ae5d0f2/

#### Github
- https://github.com/0x007f/cve-2022-1609-exploit
- https://github.com/0xSojalSec/-CVE-2022-1609
- https://github.com/0xSojalSec/CVE-2022-1609
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/WhooAmii/POC_to_review
- https://github.com/WitchWatcher/cve-2022-1609-exploit
- https://github.com/k0mi-tg/CVE-POC
- https://github.com/manas3c/CVE-POC
- https://github.com/nastar-id/WP-school-management-RCE
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/savior-only/CVE-2022-1609
- https://github.com/tuxsyscall/cve-2022-1609-exploit
- https://github.com/w4r3s/cve-2022-1609-exploit
- https://github.com/whoforget/CVE-POC
- https://github.com/youwizard/CVE-POC
- https://github.com/zecool/cve