Privilege Escalation Vulnerability Affects School Management System
CVE-2024-9637

8.8HIGH

Key Information:

Vendor: Wordpress
Status: School Management System – WPschoolpress
Vendor: CVE Published:; 26 October 2024

Summary

The WPSchoolPress plugin for WordPress is susceptible to a vulnerability that facilitates privilege escalation through account takeover, affecting all versions up to and including 2.2.10. This vulnerability stems from the plugin's failure to correctly validate user identities when changing account details, such as email addresses. As a result, authenticated attackers with teacher-level access or higher can exploit this flaw to alter any user's email address, including those of administrators. This action can lead to a reset of the user's password, granting the attacker unauthorized access to the compromised account, thereby compromising the integrity and security of the system.

Affected Version(s)

School Management System – WPSchoolPress * <= 2.2.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpschoolpress/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 26, 2024
Vulnerability Reserved
Oct 8, 2024

Credit

wesley