Improper neutralization of special elements used in an SQL command (SQL Injection) in the School Management plugin for WordPress allows attackers to perform blind SQL injection. A successful exploitation can extract sensitive data from the underlying database, potentially exposing user credentials, personal information, and configuration details. The weakness is classified as CWE‑89, reflecting unsanitized input handling that can lead to unauthorized data access.

The vulnerability affects the School Management plugin developed by mojoomla for the WordPress platform. All instances of the plugin up to and including version 92.0.0 are impacted. Users running WordPress sites with this plugin installed should verify their version and plan an upgrade to a patched release. The plugin is commonly used by educational institutions to manage student records, schedules, and other confidential data.

The CVSS vector scores the issue at 9.3, indicating a critical severity. The EPSS score is below 1%, suggesting that actual exploitation is currently low but not impossible. The vulnerability is not listed in the CISA KEV catalog, meaning no widespread public exploitation has been reported yet. Attackers can likely exploit the flaw via the plugin’s public-facing web forms or API endpoints, making the attack vector network-based. Based on the description, the attack vector is inferred and relies on exposed input parameters that accept unsanitized data.