The School Management plugin for WordPress contains an insecure direct object reference flaw that can be exploited without authentication. Based on the description, it is inferred that an attacker can manipulate internal identifiers such as student or class IDs to read or modify records that belong to other users, potentially exposing personal data or altering academic records. This weakness is classified as CWE‑639, which denotes a privilege and access control failure, and has a CVSS score of 5.3 indicating a moderate risk to confidentiality and integrity for affected users. The description explicitly states that the vulnerability allows unauthorized access to object data, and no additional privileges beyond existing web access are required to exploit it.

The vulnerability affects the WordPress School Management plugin distributed by Mojoomla. All installations running any version up to and including 93.1.0 are potentially impacted; any custom deployments that use these plugin versions also remain at risk. No specific sub‑builds or environments are named, so any WordPress installation that hosts the plugin and uses it without additional safeguards should consider itself exposed.

The CVSS score of 5.3 shows a moderate severity, and the EPSS score is not available, implying no publicly known exploitation trend detected so far. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known high‑profile exploit. The likely attack vector is unauthenticated access to the plugin’s object routes; an attacker only needs to guess or enumerate valid identifiers. Because the flaw resides in a third‑party WordPress component, the exposure relies on the user’s configuration of the plugin and the overall WordPress security posture.