Description
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.
Published: 2025-03-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized User Deletion
Action: Update Plugin
AI Analysis

Impact

The WPSchoolPress WordPress plugin fails to enforce a capability check in its wpsp_DeleteUser() function, allowing any authenticated user with teacher-level access or higher to delete any user account. This flaw can result in the loss of user profiles and the data associated with them, disrupting school operations. The weakness is a missing authorization control (CWE-862).

Affected Systems

All installations of the WPSchoolPress plugin with version 2.2.16 or earlier are vulnerable. The vendor is jdsofttech and the product is the School Management System – WPSchoolPress, available as a WordPress plugin. The issue is fixed in version 2.2.17 and later.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated session with teacher-level or higher privileges, with no publicly exploitable incident vector reported. The risk is moderate, but the practical exploitation probability remains low under current circumstances.

Generated by OpenCVE AI on April 21, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPSchoolPress plugin to version 2.2.17 or later.
  • Review and restrict teacher-level role assignments to only those users who truly require user deletion capabilities.
  • Enable and monitor activity logs for user deletion events to detect and respond to unauthorized attempts.

Generated by OpenCVE AI on April 21, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6628 The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00044}

Fri, 28 Mar 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Igexsolutions
Igexsolutions wpschoolpress
CPEs cpe:2.3:a:igexsolutions:wpschoolpress:*:*:*:*:*:wordpress:*:*
Vendors & Products Igexsolutions
Igexsolutions wpschoolpress

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.
Title School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Arbitrary User Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Igexsolutions Wpschoolpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:56.872Z

Reserved: 2025-02-24T21:24:40.224Z

Link: CVE-2025-1668

cve-icon Vulnrichment

Updated: 2025-03-17T16:57:02.038Z

cve-icon NVD

Status : Modified

Published: 2025-03-15T04:15:21.457

Modified: 2026-04-08T19:23:51.157

Link: CVE-2025-1668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses