CVE-2025-1669

Name of the Vulnerable Software and Affected Versions: The School Management System – WPSchoolPress plugin for WordPress versions up to, and including, 2.2.16

Description: The issue is related to SQL Injection via the 'addNotify' action due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with teacher-level access and above to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations: For versions up to, and including, 2.2.16, update to a version that includes a fix for this issue to prevent SQL Injection attacks. As a temporary workaround, consider restricting access to the 'addNotify' action for users with teacher-level access and above until a patch is available.