Description
The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 93.1.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One such chain can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. The vendor has updated the version numbers beginning with `1.93.1 (02-07-2025)` for the patched version. This version comes after version 93.1.0.
Published: 2025-07-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to code execution and privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The School Management System for Wordpress plugin is vulnerable to a Local File Inclusion via the 'page' parameter. Authenticated users with Subscriber-level access and higher can include and execute arbitrary server files. This permits bypassing access controls, retrieving sensitive data, and, when chained with the plugin’s dashboard view files, updating the passwords of Super Administrator accounts in Multisite installations, resulting in privilege escalation.

Affected Systems

The vulnerability affects all releases of the School Management System for Wordpress plugin up to and including 93.1.0. The vendor released a patched version 1.93.1 on 02‑07‑2025 that fixes the flaw.

Risk and Exploitability

With a CVSS score of 8.8 the issue is classified as high severity. The EPSS score is less than 1 %, indicating that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by submitting a crafted 'page' parameter in a request while logged in as a Subscriber or higher. Successful exploitation would allow arbitrary PHP execution and potential privilege escalation to a Super Administrator.

Generated by OpenCVE AI on April 21, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the School Management System for Wordpress plugin to version 1.93.1 or later, which contains the LFI fix.
  • If upgrading immediately is not possible, restrict the 'page' parameter to an allow‑list of safe files or otherwise deny inclusion of arbitrary paths.
  • Deploy a web‑application firewall rule to block LFI attempts and monitor for suspicious inclusion activity.

Generated by OpenCVE AI on April 21, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21843 The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 93.1.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One such chain can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. The vendor has updated the version numbers beginning with `1.93.1 (02-07-2025)` for the patched version. This version comes after version 93.1.0.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 93.1.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One such chain can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. The vendor has updated the version numbers beginning with `1.93.1 (02-07-2025)` for the patched version. This version comes after version 93.1.0.
Title School Management System for Wordpress <= 93.1.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:05.290Z

Reserved: 2025-04-16T16:39:12.716Z

Link: CVE-2025-3740

cve-icon Vulnrichment

Updated: 2025-07-18T13:48:35.606Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T05:15:30.033

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses