School Management
CVE-2025-15657
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-exploitable IDOR with no authentication, low complexity, and impact limited to partial read access with no integrity or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.
AnalysisAI
Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <= 93.1.0) allows remote attackers to access restricted school records by manipulating user-controlled object identifiers without any authorization check. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network exploitability with no authentication required, exposing student, staff, or institutional data to unauthorized disclosure. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
CWE-639 (Authorization Through User-Controlled Key) describes a class of access control flaws where the application relies on a client-supplied value - typically a numeric ID, UUID, or slug - to retrieve an object, without verifying that the requesting user is authorized to access that specific object. In WordPress plugin context, this typically manifests as REST API endpoints, AJAX handlers (wp-admin/admin-ajax.php), or page query parameters that accept an object identifier (e.g., student ID, enrollment record ID) and return the associated data without session or permission validation. The affected product is identified by CPE cpe:2.3:a:mojoomla:school_management:*:*:*:*:*:*:*:*, covering all releases of the Mojoomla School Management plugin through version 93.1.0 on WordPress.
RemediationAI
Update the Mojoomla School Management plugin to a version above 93.1.0 as the primary remediation action; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-plugin-plugin-93-1-0-insecure-direct-object-references-idor-vulnerability for the confirmed patched release version, as an exact fix version was not independently confirmed in the available input data. If an immediate update is not possible, restrict access to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) and any REST API routes exposed by this plugin to authenticated sessions only, using a Web Application Firewall rule or server-level authentication gate - note this may break legitimate unauthenticated plugin functionality and should be tested in staging first. Additionally, enable WordPress user authentication for all front-end requests to the plugin's data-serving endpoints as a compensating control.
More in School Management
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Ma
Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows aut
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today