Skip to main content

JP Students Result Management System Premium CVE-2025-31916

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-05-23 audit@patchstack.com
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 28, 2026 - 20:08 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:43 vuln.today
CVE Published
May 23, 2025 - 13:15 nvd
CRITICAL 9.0

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in joy2012bd JP Students Result Management System Premium allows Upload a Web Shell to a Web Server. This issue affects JP Students Result Management System Premium: from 1.1.7 through n/a.

AnalysisAI

Unrestricted file upload in JP Students Result Management System Premium WordPress plugin versions 1.1.7 and later enables remote unauthenticated attackers to upload and execute malicious web shells, achieving complete server compromise with high complexity exploitation requirements. Reported by Patchstack security researchers, this vulnerability carries a 0.31% EPSS exploitation probability (54th percentile), indicating moderate but not negligible real-world risk. No active exploitation confirmed in CISA KEV at time of analysis, though the cross-scope impact (S:C in CVSS vector) suggests potential for lateral movement beyond the WordPress application itself.

Technical ContextAI

This vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic web application security flaw where insufficient validation allows attackers to upload executable code disguised as legitimate files. The affected component is a WordPress plugin designed for educational institutions to manage student results. The plugin fails to properly validate file extensions, MIME types, or content before accepting uploads, enabling attackers to bypass restrictions and place PHP web shells or other server-side scripts in web-accessible directories. The CVSS vector indicates network-based exploitation (AV:N) with high attack complexity (AC:H), suggesting exploitation requires specific timing, configuration knowledge, or race conditions rather than straightforward upload abuse. The changed scope metric (S:C) is particularly significant for WordPress plugins, indicating the vulnerability can impact resources beyond the plugin's security boundary-potentially the underlying web server, filesystem, or other WordPress components.

Affected ProductsAI

The vulnerability affects JP Students Result Management System Premium WordPress plugin version 1.1.7 and potentially later versions (indicated by 'through n/a' in the CVE description, meaning the upper bound is undefined at publication). This is a premium (paid) WordPress plugin developed by joy2012bd, primarily deployed in educational institutions for managing student examination results and grade reporting. The Patchstack database entry at https://patchstack.com/database/wordpress/plugin/jp-students-result-system-premium/vulnerability/wordpress-jp-students-result-management-system-premium-plugin-1-1-7-arbitrary-file-upload-vulnerability serves as the primary vendor advisory source. No CPE identifiers were provided in the available data, limiting automated asset inventory correlation.

RemediationAI

Organizations should immediately check if JP Students Result Management System Premium plugin is installed (verify in WordPress admin under Plugins) and determine the installed version. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jp-students-result-system-premium/ for vendor-released patched versions-as of this analysis, the exact fixed version number was not confirmed in available NVD data, indicating either delayed vendor response or ongoing patching process. If no patch is available or upgrade is delayed, implement defense-in-depth controls: (1) Restrict access to the WordPress admin panel and plugin upload functionality to trusted IP ranges via web application firewall rules or .htaccess directives-this reduces attack surface but breaks remote administration workflows. (2) Deploy file upload validation at the web server level using ModSecurity or similar WAF rulesets to block executable file extensions (.php, .phtml, .php5, .phar) in upload directories-note this may interfere with legitimate plugin functionality requiring server-side script uploads. (3) Configure web server to prevent script execution in upload directories via .htaccess (Apache) or location blocks (Nginx) with 'php_flag engine off' or similar directives-this prevents uploaded shells from executing but may break plugins relying on processed uploads. (4) As a temporary emergency measure, disable the entire plugin if student result management can be suspended, though this impacts core institutional operations. Verify Patchstack advisory for plugin-specific workarounds and monitor WordPress security channels for updated guidance.

Share

CVE-2025-31916 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy