Local File Inclusion Vulnerability in School Management System Plugin by WordPress
CVE-2025-3740

8.8HIGH

Key Information:

Vendor: WordPress
Status: School Management System For WordPress
Vendor: CVE Published:; 18 July 2025

What is CVE-2025-3740?

The School Management System plugin for WordPress contains a Local File Inclusion vulnerability that impacts all versions up to 93.1.0. Authenticated attackers with Subscriber-level access or higher can exploit the 'page' parameter to include and execute arbitrary files on the server. This vulnerability allows for the execution of any PHP code within those files, potentially leading to unauthorized access to sensitive data or privilege escalation. Attackers may leverage this flaw to include various dashboard view files from the plugin, which could facilitate actions like updating Super Administrator passwords in Multisite setups. The vendor has addressed this issue in versions starting with 1.93.1, released on February 7, 2025.

Affected Version(s)

School Management System for Wordpress * <= 93.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/school-management-system-for-...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Thái An