School Management
Monthly
Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <= 93.1.0) allows remote attackers to access restricted school records by manipulating user-controlled object identifiers without any authorization check. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network exploitability with no authentication required, exposing student, staff, or institutional data to unauthorized disclosure. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows authenticated low-privileged users to elevate their permissions to higher-privileged roles such as administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 3.1 score of 8.8 with no public exploit identified at time of analysis. Any WordPress site running the plugin in its default state is vulnerable until an upstream patch is released.
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Management Pro.3.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <= 93.1.0) allows remote attackers to access restricted school records by manipulating user-controlled object identifiers without any authorization check. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network exploitability with no authentication required, exposing student, staff, or institutional data to unauthorized disclosure. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows authenticated low-privileged users to elevate their permissions to higher-privileged roles such as administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 3.1 score of 8.8 with no public exploit identified at time of analysis. Any WordPress site running the plugin in its default state is vulnerable until an upstream patch is released.
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Management Pro.3.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.