Researchers said on Friday that they found a malicious backdoor in a WordPress plugin that gave attackers full control of websites that used the package, which is marketed to schools.
The premium version of School Management, a plugin schools use to operate and manage their websites, has contained the backdoor since at least version 8.9, researchers at website security service JetPack said in a blog post without ruling out that it had been present in earlier versions. This page from a third-party site shows that version 8.9 was released last August.
Jetpack said it discovered the backdoor after support team members at WordPress.com reported finding heavily obfuscated code on several sites that used School Management Pro. After deobfuscating it, they realized that the code, stashed in the license-checking part of the plugin, was intentionally placed there with the goal of giving outsiders the ability to take control of sites.