CVE-2025-1670

Name of the Vulnerable Software and Affected Versions: The School Management System – WPSchoolPress plugin for WordPress versions up to, and including, 2.2.16

Description: The issue allows authenticated attackers with Custom-level access and above to perform SQL Injection via the cid parameter due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This enables attackers to append additional SQL queries to existing ones, potentially extracting sensitive information from the database.

Recommendations: For versions up to, and including, 2.2.16, consider restricting access to the cid parameter in the affected API endpoint until a patch is available. As a temporary workaround, limit Custom-level access and above to minimize the risk of exploitation.