Description
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'SCodes' parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential data exposure through SQL injection
Action: Apply patch
AI Analysis

Impact

The School Management System – WPSchoolPress plugin for WordPress is affected by a SQL injection flaw in the 'SCodes' parameter. The insufficient escaping and lack of proper query preparation allow an attacker with administrator or higher privileges to append arbitrary SQL statements, which can be used to read or manipulate sensitive data stored in the database. This weakness is categorized as CWE-89, indicating an injection vulnerability that exposes confidentiality and potentially integrity of the system.

Affected Systems

Vendors affected include JDSoftTech’s School Management System – WPSchoolPress. All versions up to and including 2.2.23 are vulnerable. Users should verify the installed version and consider upgrading once a fix is available.

Risk and Exploitability

The CVSS score of 4.9 reflects a moderate risk, while the EPSS score of less than 1% indicates a very low probability of exploitation in the current environment. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation. However, the attack requires an authenticated administrator account, which means that compromised credentials or insider threats can leverage the flaw. Because the attacker can append SQL, the impact could involve unauthorized data leakage or alteration. Organizations should treat this as a manageable risk that can be mitigated through patching and monitoring.

Generated by OpenCVE AI on April 22, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the School Management System – WPSchoolPress plugin to version 2.2.24 or later to remove the SQL injection flaw.
  • If an immediate upgrade is not possible, restrict administrative access to the system and remove or disable the ability to pass user input to the 'SCodes' parameter through custom configuration or code modifications.
  • Implement continuous database activity monitoring to detect anomalous query patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 15 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Jdsofttech
Jdsofttech school Management System
Wordpress
Wordpress wordpress
Vendors & Products Jdsofttech
Jdsofttech school Management System
Wordpress
Wordpress wordpress

Fri, 14 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
Description The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'SCodes' parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title School Management System – WPSchoolPress <= 2.2.23 - Authenticated (Administrator+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Jdsofttech School Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:15.118Z

Reserved: 2025-10-20T18:10:23.997Z

Link: CVE-2025-11981

cve-icon Vulnrichment

Updated: 2025-11-14T13:21:29.905Z

cve-icon NVD

Status : Deferred

Published: 2025-11-14T12:15:43.427

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses