CVE-2024-9660
📋 TL;DR
This vulnerability allows authenticated attackers with Student-level access or higher to upload arbitrary files to WordPress sites running the School Management System plugin. This can lead to remote code execution by uploading malicious files like PHP shells. All WordPress sites using this plugin up to version 91.5.0 are affected.
💻 Affected Systems
- School Management System for WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to steal data, install malware, or pivot to other systems.
Likely Case
Website defacement, data theft, or installation of backdoors for persistent access.
If Mitigated
Limited to file uploads that don't execute due to server hardening, but still enables storage of malicious content.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 91.5.0
Vendor Advisory: https://codecanyon.net/item/school-management-system-for-wordpress/11470032
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'School Management System' and update to latest version. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable functions via .htaccess
allBlock access to the vulnerable upload endpoints
# Add to .htaccess in WordPress root:
<Files "mj_smgt_load_documets*">
Order Allow,Deny
Deny from all
</Files>
Restrict file uploads via web server
allConfigure web server to block execution of uploaded files in upload directories
# For Apache in upload directory .htaccess:
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Deny,Allow
Deny from all
</FilesMatch>
# For Nginx in server block:
location ~* ^/wp-content/uploads/.*\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
🧯 If You Can't Patch
- Disable the School Management System plugin immediately
- Implement strict file upload validation at the application level
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'School Management System' version 91.5.0 or lowerCheck Version:
wp plugin list --name='school-management-system' --field=versionVerify Fix Applied:
Confirm plugin version is higher than 91.5.0 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/ directory
- POST requests to mj_smgt_load_documets or mj_smgt_load_documets_new endpoints
- Execution of unexpected PHP files in upload directories
Network Indicators:
- HTTP POST requests with file uploads to plugin-specific endpoints
- Unusual outbound connections from web server after file uploads
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND post_data CONTAINS "mj_smgt_load_documets")