Skip to main content

School Management CVE-2025-15655

| EUVDEUVD-2025-210048 HIGH
SQL Injection (CWE-89)
2026-06-03 Patchstack GHSA-v724-gm7g-f37c
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 03, 2026 - 11:00 vuln.today
CVE Published
Jun 03, 2026 - 09:00 nvd
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla School Management allows SQL Injection.

This issue affects School Management: from n/a through 93.2.0.

AnalysisAI

SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Mojoomla School Management is a WordPress plugin (CPE cpe:2.3:a:mojoomla:school_management) providing student, staff, and academic record management for educational institutions. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input is concatenated into SQL queries without parameterization or proper escaping via $wpdb->prepare(). Because the plugin operates on top of the shared WordPress MySQL database, injected SQL can reach core WordPress tables (wp_users, wp_options) as well as other plugins' tables, which aligns with the CVSS Scope:Changed indicator.

RemediationAI

No vendor-released patch identified at time of analysis based on the provided references; administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-plugin-plugin-93-2-0-sql-injection-vulnerability and the Mojoomla vendor channel for a fixed release beyond 93.2.0. In the interim, consider deploying a Patchstack or Wordfence virtual-patching WAF rule targeting the plugin's request paths, tightly restricting which user roles can access School Management administrative pages (since exploitation requires PR:H), enforcing least privilege so that only trusted staff hold the elevated roles required, and enabling database query logging to detect anomalous SQL patterns. Temporarily deactivating the plugin is the strongest mitigation but removes school-management functionality - a trade-off only acceptable where the feature is non-critical.

Share

CVE-2025-15655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy