CVE-2025-15657
Deferred Deferred - Pending Action

Unauthenticated IDOR in School Management <= 93.1.0

Vulnerability report for CVE-2025-15657, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack school_management to 93.1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress School Management Plugin, versions 93.1.0 and below, contains an Insecure Direct Object References (IDOR) vulnerability. This flaw allows unauthorized users to bypass access controls and potentially access sensitive files, folders, or database interactions without proper authentication.

This means that attackers can directly access objects or data they should not be able to see or modify, due to improper validation of user permissions.

The vulnerability is classified as low severity with a CVSS score of 5.3 and falls under the OWASP Top 10 category of Broken Access Control.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access sensitive information or data within the School Management Plugin without authentication.

  • Unauthorized access to sensitive files or folders.
  • Potential exposure of confidential database information.

Although the severity is considered low, the risk remains that attackers could exploit this flaw to gain access to data they should not have, which could lead to privacy breaches or data leaks.

Mitigation Strategies

Immediate action is recommended to mitigate this vulnerability since there is no official patch available as of the report date.

  • Update the WordPress School Management Plugin to a newer version if and when a patch is released.
  • Seek assistance from your hosting provider or a web developer to implement temporary access controls or workarounds.
Detection Guidance

The vulnerability in the WordPress School Management Plugin (versions 93.1.0 and below) is an Insecure Direct Object References (IDOR) flaw that allows unauthorized access to sensitive files or data without authentication.

To detect this vulnerability on your system or network, you can attempt to access restricted resources or data endpoints of the plugin without authentication and observe if access is granted.

Since there is no official patch or specific detection commands provided, a practical approach is to use web request tools like curl or automated scanners to test for unauthorized access to plugin-specific URLs or API endpoints.

  • Use curl to attempt accessing known plugin resource URLs without authentication, for example: curl -i http://yourwordpresssite.com/wp-content/plugins/school-management/some-protected-resource
  • Use web vulnerability scanners that support IDOR detection against the WordPress site, focusing on the School Management plugin endpoints.
  • Monitor web server logs for unusual access patterns to the plugin's files or database interaction points without valid user sessions.
Compliance Impact

The vulnerability allows unauthorized users to bypass access controls and potentially access sensitive files, folders, or database interactions without proper authentication.

Such unauthorized access to sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Because the vulnerability falls under the OWASP Top 10 category of Broken Access Control, it directly impacts the security controls that these regulations mandate.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart