Skip to main content

Wpschoolpress CVE-2026-39631

| EUVDEUVD-2026-20282 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-4qx4-3c96-wjpr
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20282
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 4.9

DescriptionCVE.org

Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSchoolPress: from n/a through <= 2.2.35.

AnalysisAI

WPSchoolPress plugin through version 2.2.35 allows authenticated high-privilege users to bypass authorization controls and access sensitive information they should not be able to view due to incorrectly configured access control security levels. The CVSS score of 4.9 reflects the confidentiality impact limited to authenticated high-privilege attackers with no integrity or availability risk, though the EPSS score of 0.02% suggests exploitation in real-world scenarios remains minimal at time of analysis. No public exploit code or active exploitation has been identified.

Technical ContextAI

WPSchoolPress is a WordPress plugin managing educational institution operations. The vulnerability stems from CWE-862 (Missing Authorization), a failure to implement proper access control mechanisms that verify whether an authenticated user has permission to perform requested actions. In this case, the plugin implements security levels (roles/capabilities) but does not consistently enforce them across all functional endpoints, allowing users with elevated privileges to query or access data restricted by those security levels. The CPE identifier cpe:2.3:a:ronik@unlimitedwp:wpschoolpress:*:*:*:*:*:*:*:* indicates all versions of the plugin are potentially affected.

RemediationAI

Update WPSchoolPress to a version later than 2.2.35 released by Ronik@UnlimitedWP. Users should navigate to their WordPress plugin dashboard, locate WPSchoolPress, and apply the latest available update. As an interim control pending patching, administrators should audit role-based access controls and restrict high-privilege accounts to only necessary users, verify that user permission checks are consistently applied across all plugin modules, and monitor WordPress user activity logs for unauthorized data access attempts. See Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/wpschoolpress/vulnerability/wordpress-wpschoolpress-plugin-2-2-35-broken-access-control-vulnerability?_s_id=cve) for patch availability confirmation and NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-39631) for additional technical details.

Share

CVE-2026-39631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy