CVE-2025-30973 - Vulnerability Details

- WordPress CoSchool LMS plugin <= 1.4.3 - PHP Object Injection Vulnerability

Description

Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS coschool allows Object Injection.This issue affects CoSchool LMS: from n/a through <= 1.4.3.

Published: 2025-07-16

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Coschool LMS plugin accepts serialized PHP objects without proper validation, allowing an attacker to inject malicious objects that are later deserialized by the plugin. This deserialization flaw can lead to remote code execution, giving an adversary full system compromise if the plugin instance runs with elevated privileges. The weakness is classified as CWE-502, indicating a deserialization of untrusted data flaw.

Affected Systems

Codexpert, Inc publishes the Coschool LMS plugin for WordPress. Versions 1.4.3 and earlier are affected; any site running these or earlier releases of the plugin is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 places this vulnerability in the Critical category, although the EPSS score of <1% suggests a low likelihood of mass exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, but the potential for arbitrary code execution warrants immediate attention. Attackers would likely exploit the flaw by sending crafted serialized data through user‑input fields or by manipulating URLs that trigger the plugin’s deserialization logic; this inference is based on the stated deserialization of untrusted data. If successful, the attacker could execute arbitrary PHP code, compromise the WordPress installation, and potentially move laterally within the underlying server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Codexpert, Inc

CoSchool LMS

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.4.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Coschool LMS plugin to version 1.4.4 or later to eliminate the deserialization flaw.
Disable or delete the Coschool LMS plugin until the patch is applied if the plugin is not essential to current operations.
Monitor WordPress error logs and security alerts for unusual activity, and audit user permissions to limit exposure of plugin functionality.

Generated by OpenCVE AI on May 1, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-21611	Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00369.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/coschool/vulnerability/wordpress-coschool-lms-1-4-3-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3.	Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS coschool allows Object Injection.This issue affects CoSchool LMS: from n/a through <= 1.4.3.
References	https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-1-4-3-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/coschool/vulnerability/wordpress-coschool-lms-1-4-3-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 16 Jul 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics		epss `{'score': 0.00038}`

Wed, 16 Jul 2025 11:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3.
Title		WordPress CoSchool LMS plugin <= 1.4.3 - PHP Object Injection Vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-1-4-3-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-07-16T11:28:07.716Z

Updated: 2026-04-28T16:12:02.388Z

Reserved: 2025-03-26T09:22:34.906Z

Link: CVE-2025-30973

Vulnrichment

Updated: 2025-07-16T16:20:36.305Z

NVD

Status : Deferred

Published: 2025-07-16T12:15:25.443

Modified: 2026-04-23T15:27:25.907

Link: CVE-2025-30973

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object