Impact
In this vulnerability, an attacker can inject arbitrary JavaScript into the application through the dashboard/studentConductManager.php interface. The flaw is a classic reflected or stored cross‑site scripting (CWE‑79) and, according to the CVE data, may also allow code injection (CWE‑94). The vulnerability can compromise the confidentiality, integrity, and availability of user sessions by enabling cookie theft, session hijacking, or defacement of the student interface.
Affected Systems
The affected product is Wizgrade, a web‑based student performance management system developed by Igweze. All releases up to the repository commit b1d55f22b90cd7e7a6e5002f006d7c649e8086d6 contain the vulnerable code. Because the vendor uses a rolling‑release process, the exact version number of the vulnerable releases is not disclosed, so administrators should treat all current and pending releases as potentially affected until an official fix is released.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium‑severity vulnerability. The exploit is available publicly and can be executed from a remote attacker, although the EPSS score is not disclosed. The vulnerability is not listed in the CISA KEV catalog yet, but the public disclosure suggests that exploitation is possible and could be targeted, especially against institutions that use the studentConductManager.php endpoint.
OpenCVE Enrichment