CVE-2024-12607

Name of the Vulnerable Software and Affected Versions School Management System for Wordpress plugin versions up to, and including, 92.0.0

Description The issue allows authenticated attackers with Custom-level access and above to perform SQL Injection via the id parameter of the "mj smgt show event task" AJAX action. This is due to insufficient escaping on the user-supplied id parameter and lack of sufficient preparation on the existing SQL query, making it possible to extract sensitive information from the database.

Recommendations For School Management System for Wordpress plugin versions up to, and including, 92.0.0, consider restricting access to the "mj smgt show event task" AJAX action until a patch is available. As a temporary workaround, avoid using the id parameter in the affected AJAX action to minimize the risk of exploitation.