CVE-2022-1609

CRITICAL EXPLOITED IN THE WILD NUCLEI

School Management WordPress Plugin < 9.9.7 - Unauthenticated Remote Code Execution via Backdoor REST API Handler

Title source: llm

Exploitation Summary

CVE-2022-1609 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including 0xSojalSec, itworksig, savior-only. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a backdoor in the Weblizar WordPress plugin to execute arbitrary system commands via a crafted POST request to the `/wp-json/am-member/license` endpoint. The script provides an interactive shell by injecting commands into the `blowf` parameter.

Description

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Exploits (5)

nomisec WORKING POC 3 stars

by 0xSojalSec · poc

https://github.com/0xSojalSec/-CVE-2022-1609

View Code ZIP pw:eip

This exploit leverages a backdoor in the Weblizar WordPress plugin to execute arbitrary system commands via a crafted POST request to the `/wp-json/am-member/license` endpoint. The script provides an interactive shell by injecting commands into the `blowf` parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Weblizar plugin (unspecified version)

No auth needed

Prerequisites: Target must have the vulnerable Weblizar plugin installed and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by itworksig · poc

https://github.com/itworksig/cve-2022-1609-exploit

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-1609, targeting a WordPress Weblizar plugin backdoor. It leverages an arbitrary command execution vulnerability via the `/wp-json/am-member/license` endpoint by injecting commands into the `blowf` parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Weblizar plugin (unspecified version)

No auth needed

Prerequisites: Target must have the vulnerable Weblizar plugin installed and accessible · Network access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by savior-only · remote

https://github.com/savior-only/CVE-2022-1609

View Code ZIP pw:eip

This PoC demonstrates a remote command execution (RCE) vulnerability in WordPress Weblizar via a backdoor in the REST API endpoint. The exploit sends a crafted POST request to execute arbitrary system commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Weblizar (version not specified)

No auth needed

Prerequisites: Access to the target WordPress REST API endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by 0xSojalSec · poc

https://github.com/0xSojalSec/CVE-2022-1609

View Code ZIP pw:eip

This exploit leverages a backdoor in the Weblizar plugin for WordPress (CVE-2022-1609) to achieve remote command execution via a crafted POST request to the `/wp-json/am-member/license` endpoint. The script sends arbitrary commands through the `blowf` parameter, which are executed on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Weblizar plugin (unspecified version)

No auth needed

Prerequisites: Target must have the vulnerable Weblizar plugin installed and accessible · The `/wp-json/am-member/license` endpoint must be reachable

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/iaaaannn0/cve-2022-1609-exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-1609, a backdoor in the Weblizar WordPress plugin. The exploit sends a crafted POST request to the vulnerable API endpoint to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Weblizar plugin (unspecified version)

No auth needed

Prerequisites: Target URL with vulnerable Weblizar plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

The School Management < 9.9.7 - Remote Code Execution

CRITICALby For3stCo1d

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/e2d546c9-85b6-47a4-b951-781b9ae5d0f2/

Scores

CVSS v3 9.8

EPSS 0.9349

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2022-05-20

InTheWild.io 2022-11-16

CWE

CWE-94

Status published

Products (1)

weblizar/school_management < 9.9.7

Published Jan 16, 2024

Tracked Since Feb 18, 2026