Description
Missing Authorization vulnerability in Mojoomla School Management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through 93.2.0.
Published: 2025-08-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the Mojoomla School Management plugin. Incorrectly configured access control allows attackers to bypass user permissions and access or modify sensitive data, which can lead to data exposure or unauthorized changes.

Affected Systems

All installations of the School Management plugin from its earliest release up through version 93.2.0 are affected. The plugin is typically deployed on WordPress sites that use it to manage student records, schedules, and other administrative functions. Anyone with a user account on such a site could exploit the flaw if the plugin’s configuration is lax.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation is currently very unlikely. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit this flaw by making web requests to the plugin’s endpoints, potentially using an authenticated user account to elevate privileges. Although widespread attacks are presently infrequent, the exposure of sensitive educational data remains significant.

Generated by OpenCVE AI on April 30, 2026 at 15:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the School Management plugin to the latest available version (93.3.0 or newer) where the access control issue has been fixed.
  • Verify that user roles are correctly configured and restrict access to the plugin’s administrative screens to only the necessary roles.
  • If an immediate upgrade is not possible, temporarily disable the plugin or remove unauthorized user roles, and monitor logs for abnormal activity.

Generated by OpenCVE AI on April 30, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25776 Missing Authorization vulnerability in Mojoomla School Management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through 93.2.0.
History

Wed, 27 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 26 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 Aug 2025 10:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Mojoomla School Management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through 93.2.0.
Title WordPress School Management Plugin <= 93.2.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:51.669Z

Reserved: 2025-05-15T17:54:48.128Z

Link: CVE-2025-48108

cve-icon Vulnrichment

Updated: 2025-08-26T15:33:36.694Z

cve-icon NVD

Status : Deferred

Published: 2025-08-26T10:15:35.267

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-48108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses