Skip to main content

School Management CVE-2025-15657

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-17 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-exploitable IDOR with no authentication, low complexity, and impact limited to partial read access with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:53 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.

AnalysisAI

Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <= 93.1.0) allows remote attackers to access restricted school records by manipulating user-controlled object identifiers without any authorization check. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network exploitability with no authentication required, exposing student, staff, or institutional data to unauthorized disclosure. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

CWE-639 (Authorization Through User-Controlled Key) describes a class of access control flaws where the application relies on a client-supplied value - typically a numeric ID, UUID, or slug - to retrieve an object, without verifying that the requesting user is authorized to access that specific object. In WordPress plugin context, this typically manifests as REST API endpoints, AJAX handlers (wp-admin/admin-ajax.php), or page query parameters that accept an object identifier (e.g., student ID, enrollment record ID) and return the associated data without session or permission validation. The affected product is identified by CPE cpe:2.3:a:mojoomla:school_management:*:*:*:*:*:*:*:*, covering all releases of the Mojoomla School Management plugin through version 93.1.0 on WordPress.

RemediationAI

Update the Mojoomla School Management plugin to a version above 93.1.0 as the primary remediation action; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-plugin-plugin-93-1-0-insecure-direct-object-references-idor-vulnerability for the confirmed patched release version, as an exact fix version was not independently confirmed in the available input data. If an immediate update is not possible, restrict access to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) and any REST API routes exposed by this plugin to authenticated sessions only, using a Web Application Firewall rule or server-level authentication gate - note this may break legitimate unauthenticated plugin functionality and should be tested in staging first. Additionally, enable WordPress user authentication for all front-end requests to the plugin's data-serving endpoints as a compensating control.

Share

CVE-2025-15657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy