Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management allows Blind SQL Injection. This issue affects School Management: from n/a through 92.0.0.
AnalysisAI
Blind SQL injection in mojoomla School Management plugin for WordPress enables remote unauthenticated attackers to extract database contents and potentially cause service disruption. The vulnerability affects all versions up to and including 92.0.0, with public exploitation probability at 0.06% (EPSS percentile 18), indicating low observed exploitation attempts despite critical CVSS rating. Patchstack vulnerability database confirms the flaw but patch status remains unverified from available references.
Technical ContextAI
This is a blind SQL injection vulnerability (CWE-89) in the School Management WordPress plugin developed by mojoomla. Blind SQL injection occurs when user-controlled input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to infer database structure and content through time-based or boolean-based inference techniques rather than direct output. The vulnerability manifests in versions through 92.0.0, suggesting insufficient input validation in database query construction. WordPress plugins commonly suffer from SQL injection when developers use direct SQL queries instead of WordPress's prepared statement APIs like $wpdb->prepare(). The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's authorization boundary, possibly allowing access to the underlying WordPress database shared by other plugins and core tables.
RemediationAI
Primary remediation requires upgrading to a patched version of School Management plugin; however, the specific fixed version number is not confirmed in available vendor advisories or Patchstack references as of this analysis. Administrators should check the WordPress plugin repository and mojoomla's official channels for updates beyond version 92.0.0. Until patched version is confirmed available, implement compensating controls: disable the School Management plugin entirely if not actively required for operations, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to prevent unauthenticated access to plugin endpoints, deploy web application firewall (WAF) with SQL injection detection rules targeting common blind SQLi patterns (time delays via SLEEP/BENCHMARK, boolean inference via OR/AND conditions), enable WordPress database query logging to detect anomalous SQL patterns, and apply principle of least privilege to WordPress database user permissions to limit potential data exposure. Note that WAF rules may cause false positives with legitimate plugin functionality and require tuning. Patchstack reference: https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-system-plugin-92-0-0-sql-injection-vulnerability.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18538