Description
A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability affects unknown code of the file dashboard/studentConductManager.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-07-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In this vulnerability, an attacker can inject arbitrary JavaScript into the application through the dashboard/studentConductManager.php interface. The flaw is a classic reflected or stored cross‑site scripting (CWE‑79) and, according to the CVE data, may also allow code injection (CWE‑94). The vulnerability can compromise the confidentiality, integrity, and availability of user sessions by enabling cookie theft, session hijacking, or defacement of the student interface.

Affected Systems

The affected product is Wizgrade, a web‑based student performance management system developed by Igweze. All releases up to the repository commit b1d55f22b90cd7e7a6e5002f006d7c649e8086d6 contain the vulnerable code. Because the vendor uses a rolling‑release process, the exact version number of the vulnerable releases is not disclosed, so administrators should treat all current and pending releases as potentially affected until an official fix is released.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium‑severity vulnerability. The exploit is available publicly and can be executed from a remote attacker, although the EPSS score is not disclosed. The vulnerability is not listed in the CISA KEV catalog yet, but the public disclosure suggests that exploitation is possible and could be targeted, especially against institutions that use the studentConductManager.php endpoint.

Generated by OpenCVE AI on July 12, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Wizgrade release once the vendor issues a patch addressing the XSS flaw.
  • Deploy input validation and output encoding on data processed by dashboard/studentConductManager.php to prevent malicious script injection.
  • Enforce secure HTTP headers such as Content‑Security‑Policy, X‑XSS‑Protection, and Strict‑Transport‑Security to mitigate the impact of any undiscovered XSS attempts.
  • Consider using a Web Application Firewall to detect and block payloads that attempt to exploit the studentConductManager.php endpoint.

Generated by OpenCVE AI on July 12, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 12 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability affects unknown code of the file dashboard/studentConductManager.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Title igweze wizgrade studentConductManager.php cross site scripting
First Time appeared Igweze
Igweze wizgrade
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:igweze:wizgrade:*:*:*:*:*:*:*:*
Vendors & Products Igweze
Igweze wizgrade
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-12T10:00:08.854Z

Reserved: 2026-07-11T12:01:28.373Z

Link: CVE-2026-15492

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T22:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')