Skip to main content

School Management CVE-2025-47573

| EUVDEUVD-2025-18538 CRITICAL
SQL Injection (CWE-89)
2025-06-17 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 20:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18538
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management allows Blind SQL Injection. This issue affects School Management: from n/a through 92.0.0.

AnalysisAI

Blind SQL injection in mojoomla School Management plugin for WordPress enables remote unauthenticated attackers to extract database contents and potentially cause service disruption. The vulnerability affects all versions up to and including 92.0.0, with public exploitation probability at 0.06% (EPSS percentile 18), indicating low observed exploitation attempts despite critical CVSS rating. Patchstack vulnerability database confirms the flaw but patch status remains unverified from available references.

Technical ContextAI

This is a blind SQL injection vulnerability (CWE-89) in the School Management WordPress plugin developed by mojoomla. Blind SQL injection occurs when user-controlled input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to infer database structure and content through time-based or boolean-based inference techniques rather than direct output. The vulnerability manifests in versions through 92.0.0, suggesting insufficient input validation in database query construction. WordPress plugins commonly suffer from SQL injection when developers use direct SQL queries instead of WordPress's prepared statement APIs like $wpdb->prepare(). The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's authorization boundary, possibly allowing access to the underlying WordPress database shared by other plugins and core tables.

RemediationAI

Primary remediation requires upgrading to a patched version of School Management plugin; however, the specific fixed version number is not confirmed in available vendor advisories or Patchstack references as of this analysis. Administrators should check the WordPress plugin repository and mojoomla's official channels for updates beyond version 92.0.0. Until patched version is confirmed available, implement compensating controls: disable the School Management plugin entirely if not actively required for operations, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to prevent unauthenticated access to plugin endpoints, deploy web application firewall (WAF) with SQL injection detection rules targeting common blind SQLi patterns (time delays via SLEEP/BENCHMARK, boolean inference via OR/AND conditions), enable WordPress database query logging to detect anomalous SQL patterns, and apply principle of least privilege to WordPress database user permissions to limit potential data exposure. Note that WAF rules may cause false positives with legitimate plugin functionality and require tuning. Patchstack reference: https://patchstack.com/database/wordpress/plugin/school-management/vulnerability/wordpress-school-management-system-plugin-92-0-0-sql-injection-vulnerability.

Share

CVE-2025-47573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy