CVE-2025-1670: 
WordPress vulnerability analysis and mitigation

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in versions up to and including 2.2.16. This vulnerability was discovered and disclosed on March 15, 2025. The issue affects the plugin's exam management functionality and allows authenticated attackers with Custom-level access or higher to perform SQL injection attacks (NVD CVE).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin's code. Specifically, the issue exists in the exam management functionality where the 'cid' parameter is not properly sanitized before being used in database queries. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that it requires network access and low privileges to exploit (Wordfence Report).

When exploited, this vulnerability allows authenticated attackers to append additional SQL queries to existing database queries. This can lead to unauthorized access to sensitive information stored in the database, potentially exposing student records, exam data, and other confidential information managed by the WPSchoolPress plugin (NVD CVE).

Website administrators running the WPSchoolPress plugin should immediately update to a version newer than 2.2.16 once available. Until a patch is released, it is recommended to implement additional access controls and monitoring of plugin usage, particularly focusing on requests involving the 'cid' parameter (NVD CVE).