Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla School Management allows SQL Injection.
This issue affects School Management: from n/a through 93.2.0.
AnalysisAI
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Mojoomla School Management is a WordPress plugin (CPE cpe:2.3:a:mojoomla:school_management) providing student, staff, and academic record management for educational institutions. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input is concatenated into SQL queries without parameterization or proper escaping via $wpdb->prepare(). Because the plugin operates on top of the shared WordPress MySQL database, injected SQL can reach core WordPress tables (wp_users, wp_options) as well as other plugins' tables, which aligns with the CVSS Scope:Changed indicator.
RemediationAI
No vendor-released patch identified at time of analysis based on the provided references; administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-plugin-plugin-93-2-0-sql-injection-vulnerability and the Mojoomla vendor channel for a fixed release beyond 93.2.0. In the interim, consider deploying a Patchstack or Wordfence virtual-patching WAF rule targeting the plugin's request paths, tightly restricting which user roles can access School Management administrative pages (since exploitation requires PR:H), enforcing least privilege so that only trusted staff hold the elevated roles required, and enabling database query logging to detect anomalous SQL patterns. Temporarily deactivating the plugin is the strongest mitigation but removes school-management functionality - a trade-off only acceptable where the feature is non-critical.
More in School Management
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Ma
Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows aut
Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <=
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210048
GHSA-v724-gm7g-f37c