CVE-2025-1667: 
WordPress vulnerability analysis and mitigation

The School Management System – WPSchoolPress plugin for WordPress contains a Privilege Escalation vulnerability (CVE-2025-1667) discovered on March 15, 2025. The vulnerability affects all versions up to and including 2.2.16. This security flaw exists due to a missing capability check in the wpsp_UpdateTeacher() function (NVD).

The vulnerability stems from a missing capability check in the wpsp_UpdateTeacher() function, which allows authenticated users with teacher-level access or higher to update arbitrary user details, including email addresses. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness has been classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability allows authenticated attackers with teacher-level access to modify arbitrary user details, including email addresses. This capability can be exploited to initiate password resets and potentially gain unauthorized access to other user accounts, including administrator accounts (NVD).

Users should update to a version newer than 2.2.16 once available. Until then, it is recommended to carefully monitor and restrict teacher-level access to trusted users only (NVD).