Skip to main content

Mojoomla School Management CVE-2025-15656

| EUVDEUVD-2025-210049 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-03 Patchstack GHSA-45c8-xxm2-wjfx
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 03, 2026 - 11:00 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Mojoomla School Management allows Privilege Escalation.

This issue affects School Management: from n/a through 93.2.0.

AnalysisAI

Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows authenticated low-privileged users to elevate their permissions to higher-privileged roles such as administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 3.1 score of 8.8 with no public exploit identified at time of analysis. Any WordPress site running the plugin in its default state is vulnerable until an upstream patch is released.

Technical ContextAI

The affected software is Mojoomla School Management, a WordPress plugin (CPE cpe:2.3:a:mojoomla:school_management:*) used by educational institutions to manage students, staff, classes, and administrative workflows. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), a weakness in which the application assigns a user or process a privilege level that is broader than intended - typically due to missing role checks, improper use of WordPress capability APIs (e.g., current_user_can / add_role / set_role), or trust placed in client-supplied role parameters. In WordPress plugin ecosystems this class of bug commonly arises when AJAX endpoints, REST routes, or form handlers fail to validate the requesting user's existing capabilities before assigning new roles or meta-capabilities.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-plugin-93-2-0-privilege-escalation-vulnerability lists 93.2.0 as the last known vulnerable version without a confirmed fixed release, so administrators should monitor that advisory and the plugin's WordPress.org page for a release greater than 93.2.0 and upgrade as soon as it is published. As compensating controls until a patch is available, deactivate and remove the School Management plugin (which will disable school-management workflows but eliminates exposure), or restrict access to the WordPress site behind authentication-gated network controls (VPN or IP allowlist for wp-admin and wp-json) to prevent low-privileged authenticated attackers from reaching the vulnerable endpoints - noting this breaks legitimate self-service access for students and parents. Additionally, audit existing user roles for unexpected administrator or elevated accounts, disable open user registration in WordPress settings, and consider deploying a virtual patch via a WAF such as Patchstack's mitigation feed.

Share

CVE-2025-15656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy