Description
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-03-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The WPSchoolPress plugin for WordPress contains an SQL Injection flaw in the ‘cid’ parameter that is insufficiently sanitized in all releases up to and including 2.2.16. Authenticated attackers possessing Custom-level access or higher can append malicious SQL commands to existing queries, enabling them to read sensitive data from the database. This vulnerability is a classic example of CWE‑89 and does not provide a path to arbitrary code execution but does allow unauthorized disclosure of private information.

Affected Systems

All versions of the WPSchoolPress plugin for WordPress released by jdsofttech, specifically those up to and including version 2.2.16, are affected. The flaw resides in the PHP code that constructs database queries based on the ‘cid’ parameter. It does not impact other versions such as 2.2.17 and later, nor does it affect WordPress itself outside of the plugin.

Risk and Exploitability

The CVSS v3.1 score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog, further supporting a lower risk posture. However, because the attacker requires authenticated access at Custom level or higher, the threat is limited to users who control or can obtain such credentials – for example, individual parents or teachers. Once authenticated, the attacker can harvest data but not gain system-wide compromise or privilege escalation.

Generated by OpenCVE AI on April 20, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPSchoolPress plugin to version 2.2.17 or newer, which removes the insertion point for the ‘cid’ parameter.
  • Restrict or disable the ‘Custom’ role (often used by parents) so that only administrators can access the exam or other plugin endpoints that rely on the vulnerable parameter.
  • Ensure that the ‘cid’ parameter is validated as an integer or, if other data types are required, properly escaped using prepared statements before inclusion in any SQL query.

Generated by OpenCVE AI on April 20, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6627 The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

 epss

{'score': 0.00047}

Fri, 28 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Igexsolutions
Igexsolutions wpschoolpress
CPEs cpe:2.3:a:igexsolutions:wpschoolpress:*:*:*:*:*:wordpress:*:*
Vendors & Products Igexsolutions
Igexsolutions wpschoolpress

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title School Management System – WPSchoolPress <= 2.2.16 - Authenticated (Parent+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Igexsolutions Wpschoolpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:55.403Z

Reserved: 2025-02-24T21:29:24.341Z

Link: CVE-2025-1670

cve-icon Vulnrichment

Updated: 2025-03-17T16:57:58.769Z

cve-icon NVD

Status : Modified

Published: 2025-03-15T04:15:21.810

Modified: 2026-04-08T19:23:51.417

Link: CVE-2025-1670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses