CVE-2025-3740: 
WordPress vulnerability analysis and mitigation

The School Management System for WordPress plugin is affected by a Local File Inclusion vulnerability (CVE-2025-3740) in all versions up to and including 93.1.0. The vulnerability was discovered and reported by Wordfence, with the initial CVE assignment date of April 16, 2025. This security issue affects WordPress installations using the School Management System plugin (NVD).

The vulnerability exists in the 'page' parameter of the School Management System plugin, allowing authenticated attackers with Subscriber-level access or higher to include and execute arbitrary files on the server. The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, Wordfence).

The vulnerability allows attackers to bypass access controls, obtain sensitive data, and potentially achieve code execution when images and other 'safe' file types can be uploaded and included. Additionally, the Local File Inclusion exploit can be chained to include various dashboard view files in the plugin, potentially leading to password updates of Super Administrator accounts in Multisite environments, enabling privilege escalation (NVD).

The vendor has released a patched version 1.93.1 (02-07-2025) to address this vulnerability. Users are strongly advised to update their installations to this version or later (NVD).