School Management System
CVE-2024-12609
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via the 'view-attendance' page in all versions up to, and including, 92.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the mj_smgt_view_student_attendance() function. This makes it possible for authenticated attackers, with Student-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via the 'view-attendance' page in all versions up to, and including, 92.0.0 due to insufficient escaping. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via the 'view-attendance' page in all versions up to, and including, 92.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the mj_smgt_view_student_attendance() function. This makes it possible for authenticated attackers, with Student-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Affected products include: Dasinfomedia School Management System.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
More in School Management System
View allSchool Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the transport paramet
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the sid parameter at
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the password paramete
SQL injection in School Management System 1.0 allows remote attackers to modify or delete data, causing persistent chang
Mojoomla School Management System for WordPress allows SQL Injection via the id parameter. Rated high severity (CVSS 8.8
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today