Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Mojoomla School Management allows Privilege Escalation.
This issue affects School Management: from n/a through 93.2.0.
AnalysisAI
Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows authenticated low-privileged users to elevate their permissions to higher-privileged roles such as administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 3.1 score of 8.8 with no public exploit identified at time of analysis. Any WordPress site running the plugin in its default state is vulnerable until an upstream patch is released.
Technical ContextAI
The affected software is Mojoomla School Management, a WordPress plugin (CPE cpe:2.3:a:mojoomla:school_management:*) used by educational institutions to manage students, staff, classes, and administrative workflows. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), a weakness in which the application assigns a user or process a privilege level that is broader than intended - typically due to missing role checks, improper use of WordPress capability APIs (e.g., current_user_can / add_role / set_role), or trust placed in client-supplied role parameters. In WordPress plugin ecosystems this class of bug commonly arises when AJAX endpoints, REST routes, or form handlers fail to validate the requesting user's existing capabilities before assigning new roles or meta-capabilities.
RemediationAI
No vendor-released patch identified at time of analysis; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-plugin-93-2-0-privilege-escalation-vulnerability lists 93.2.0 as the last known vulnerable version without a confirmed fixed release, so administrators should monitor that advisory and the plugin's WordPress.org page for a release greater than 93.2.0 and upgrade as soon as it is published. As compensating controls until a patch is available, deactivate and remove the School Management plugin (which will disable school-management workflows but eliminates exposure), or restrict access to the WordPress site behind authentication-gated network controls (VPN or IP allowlist for wp-admin and wp-json) to prevent low-privileged authenticated attackers from reaching the vulnerable endpoints - noting this breaks legitimate self-service access for students and parents. Additionally, audit existing user roles for unexpected administrator or elevated accounts, disable open user registration in WordPress settings, and consider deploying a virtual patch via a WAF such as Patchstack's mitigation feed.
More in School Management
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Ma
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privi
Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <=
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210049
GHSA-45c8-xxm2-wjfx