CVE-2024-12607

Medium CVSS: 6.5

The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'mj_smgt_show_event_task' AJAX action in all versions up to, and including, 92.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Vendor

Dasinfomedia

Product

School Management System

CWE

CWE-89

Yayın Tarihi

2025-03-07 09:15:14

Güncelleme

2025-07-07 18:19:26

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-89 School Management System MEDIUM Dasinfomedia 2025

Referanslar

https://codecanyon.net/item/school-management-system-for-wordpress/11470032 https://www.wordfence.com/threat-intel/vulnerabilities/id/175fe7f4-ac92-4c52-9889-47635c21cd9b?source=cve

Benzer Kayıtlar

Medium

CVE-2024-12610

The School Management System for Wordpress plugin for WordPress is vulnerable to unauthorized loss of data due to a miss…

Medium

CVE-2024-12611

The School Management System for Wordpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the…

High

CVE-2024-9658

The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeov…

Medium

CVE-2024-12609

The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via the 'view-attendance'…