CVE-2023-4776: 
WordPress vulnerability analysis and mitigation

The School Management System WordPress plugin (WPSchoolPress) before version 2.2.5 contains a SQL injection vulnerability identified as CVE-2023-4776. The vulnerability was discovered on September 5, 2023, and publicly disclosed on September 25, 2023. The issue affects the plugin's handling of SQL queries where the WordPress esc_sql() function is used on a field not properly delimited by quotes and without query preparation (WPScan Advisory).

The vulnerability is classified as a SQL injection (CWE-89) with a CVSS v3.1 base score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper implementation of SQL query sanitization, where the esc_sql() function is used without proper query preparation and quote delimitation (NVD Database).

This vulnerability allows relatively low-privilege users, such as Teachers, to perform SQL injection attacks against the database. Successful exploitation could lead to unauthorized access to data, modification of database contents, and potential compromise of the WordPress installation (WPScan Advisory).

The vulnerability has been fixed in version 2.2.5 of the WPSchoolPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Advisory).