{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1667", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-24T21:21:35.824Z", "datePublished": "2025-03-15T03:23:25.085Z", "dateUpdated": "2026-04-08T17:29:50.536Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:50.536Z"}, "affected": [{"vendor": "jdsofttech", "product": "School Management System \u2013 WPSchoolPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The School Management System \u2013 WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators."}], "title": "School Management System \u2013 WPSchoolPress <= 2.2.16 - Missing Authorization to Privilege Escalation via Account Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54f98bc-c538-4f3c-b24a-6e778a3748ef?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/lib/wpsp-ajaxworks-teacher.php#L544"}, {"url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.17/lib/wpsp-ajaxworks-teacher.php#L544"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-11-05T19:39:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-03-14T14:22:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-17T21:25:58.945073Z", "id": "CVE-2025-1667", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T21:27:58.697Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1667", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-17T21:25:58.945073Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T21:26:00.445Z"}}], "cna": {"title": "School Management System \u2013 WPSchoolPress <= 2.2.16 - Missing Authorization to Privilege Escalation via Account Takeover", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "jdsofttech", "product": "School Management System \u2013 WPSchoolPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T19:39:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-03-14T14:22:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54f98bc-c538-4f3c-b24a-6e778a3748ef?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/lib/wpsp-ajaxworks-teacher.php#L544"}, {"url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.17/lib/wpsp-ajaxworks-teacher.php#L544"}], "descriptions": [{"lang": "en", "value": "The School Management System \u2013 WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:50.536Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1667", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:50.536Z", "dateReserved": "2025-02-24T21:21:35.824Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-15T03:23:25.085Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:igexsolutions:wpschoolpress:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EF133B89-7064-447E-850F-3C5ED8C2AEB9", "versionEndIncluding": "2.2.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The School Management System \u2013 WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators."}, {"lang": "es", "value": "El complemento School Management System \u2013 WPSchoolPress para WordPress es vulnerable a la escalada de privilegios debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n wpsp_UpdateTeacher() en todas las versiones hasta la 2.2.16 incluida. Esto permite a atacantes autenticados, con acceso de profesor o superior, actualizar datos arbitrarios de usuarios, incluyendo el correo electr\u00f3nico, lo que permite solicitar el restablecimiento de contrase\u00f1a y acceder a cuentas de usuario arbitrarias, incluyendo las de administrador."}], "id": "CVE-2025-1667", "lastModified": "2026-04-08T19:23:51.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-15T04:15:21.273", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.16/lib/wpsp-ajaxworks-teacher.php#L544"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.17/lib/wpsp-ajaxworks-teacher.php#L544"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54f98bc-c538-4f3c-b24a-6e778a3748ef?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:33:31.969387+00:00", "value": {"mitigation_remediation": ["Upgrade the WPSchoolPress plugin to version 2.2.17 or later.", "Revoke teacher and above permissions for all accounts and re\u2011evaluate role assignments to limit unnecessary exposure.", "If an upgrade cannot be performed immediately, temporarily disable or restrict the wpsp_UpdateTeacher endpoint so it only responds to administrators, or disable the plugin entirely until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via missing authorization check"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the jdsofttech School Management System \u2013 WPSchoolPress plugin for WordPress, specifically all releases up to and including version 2.2.16. The affected code resides in the wpsp-ajaxworks-teacher.php file within the plugin archive. Users running any of these versions on a WordPress site are at risk.", "description_and_impact": "The WPSchoolPress plugin for WordPress has a flaw in the wpsp_UpdateTeacher() function that omits a capability check. This vulnerability allows authenticated users holding teacher-level or higher permissions to modify any user record, including changing email addresses. By doing so, the attacker can trigger password reset requests for arbitrary accounts, thereby gaining access to administrator or other privileged user accounts. The impact is the loss of confidentiality and integrity of all accounts within the WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, and the EPSS score of less than 1% suggests the flaw has not been widely exploited yet, though its presence in CISA KEV is not reported. The attack vector requires an authenticated teacher-level or higher account; once such a user is compromised or deliberately used, privilege escalation can be achieved. Therefore the threat remains significant for environments where teacher roles are widely granted or where user passwords are weak."}}}}, "created": "2026-04-20T23:45:21.601639+00:00", "updated": "2026-04-20T23:45:21.601650+00:00", "vendors": []}