A failure to properly neutralize special elements in an SQL command introduces a classic SQL injection flaw (CWE‑89). An attacker can craft inputs that are concatenated into backend queries, potentially enabling unauthorized data disclosure, modification, or removal. The vulnerability resides in the School Management plugin on WordPress, which accepts user‑supplied parameters without adequate sanitization. The impact is limited to the WordPress installation where the plugin is active, but data compromise could be extensive if the database contains sensitive student records or administrative credentials. The flaw exists in the Mojoomla School Management plugin for WordPress for all released versions up to and including 93.2.0. The vendor product is Mojoomla School Management, and impacted installations are those running this plugin on any WordPress site without an earlier update. No specific operating system requirement is noted; the vulnerability is tied to the PHP code executed within the WordPress environment. The CVSS score of 7.6 indicates a high severity, reflecting a significant impact and a relatively high exploitation difficulty. The EPSS score is not available, so no current estimate of exploit popularity can be quoted. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely observed in the wild. The likely attack vector is local or remote if the plugin accepts input from unauthenticated users, which would allow an attacker to send specially crafted requests directly to the WordPress site and execute arbitrary SQL statements against the database.

Mojoomla School Management plugin for WordPress versions up to and including 93.2.0.

The CVSS score of 7.6 signals high severity and a relatively high exploitation difficulty. EPSS is not available; KEV status is not listed, implying no confirmed widespread exploitation. The likely attack vector is local or remote, contingent on the plugin accepting input from unauthenticated users, permitting an attacker to transmit malicious SQL via crafted requests.