CVE-2021-24575: 
WordPress vulnerability analysis and mitigation

The School Management System – WPSchoolPress WordPress plugin before version 2.1.10 contains multiple SQL injection vulnerabilities. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on October 11, 2021. The issue affects various authenticated users, from subscribers/students to teachers and above (WPScan Advisory).

The vulnerability stems from improper sanitization and lack of prepared statements when handling POST variables in SQL queries. The plugin has multiple vulnerable actions including 'sendSubMessage', 'UpdateStudent', 'getstudentdate', 'AddStudent', 'addMark', 'savetimetable', and 'AttendanceEntry'. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-89 (SQL Injection) (NVD, WPScan Advisory).

The SQL injection vulnerability could allow authenticated attackers to execute arbitrary SQL commands on the database. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and possible compromise of the WordPress installation's integrity (WPScan Advisory).

The vulnerability has been fixed in version 2.1.10 of the WPSchoolPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Advisory).