SB2025031835 - Multiple vulnerabilities in WPSchoolPress plugin for WordPress
Published: March 18, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2025-1670)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "cid" parameter. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
2) Missing Authorization (CVE-ID: CVE-2025-1668)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a missing capability check on the wpsp_DeleteUser() function. A remote user can delete arbitrary user accounts.
3) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-1667)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a missing capability check on the wpsp_UpdateTeacher() function. A remote user can update arbitrary user details including email and gain elevated privileges on the system.
4) SQL injection (CVE-ID: CVE-2025-1669)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "addNotify" action. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/pages/wpsp-exams.php#L186
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f38c28f4-e73a-4eb2-8bbd-73c849385c4e?source=cve
- https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/lib/wpsp-ajaxworks.php#L22
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5638b6-134d-4386-af40-6ac961a915d7?source=cve
- https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/lib/wpsp-ajaxworks-teacher.php#L544
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e54f98bc-c538-4f3c-b24a-6e778a3748ef?source=cve
- https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/lib/wpsp-ajaxworks.php#L4304
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b7413d90-aed1-4f78-a17c-bed76efb48f8?source=cve