CVE-2025-15657
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-15657
EUVD
EUVD-2025-210249
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack school_management to 93.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress School Management Plugin, versions 93.1.0 and below, contains an Insecure Direct Object References (IDOR) vulnerability. This flaw allows unauthorized users to bypass access controls and potentially access sensitive files, folders, or database interactions without proper authentication.

This means that attackers can directly access objects or data they should not be able to see or modify, due to improper validation of user permissions.

The vulnerability is classified as low severity with a CVSS score of 5.3 and falls under the OWASP Top 10 category of Broken Access Control.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access sensitive information or data within the School Management Plugin without authentication.

  • Unauthorized access to sensitive files or folders.
  • Potential exposure of confidential database information.

Although the severity is considered low, the risk remains that attackers could exploit this flaw to gain access to data they should not have, which could lead to privacy breaches or data leaks.

Mitigation Strategies

Immediate action is recommended to mitigate this vulnerability since there is no official patch available as of the report date.

  • Update the WordPress School Management Plugin to a newer version if and when a patch is released.
  • Seek assistance from your hosting provider or a web developer to implement temporary access controls or workarounds.
Compliance Impact

The vulnerability allows unauthorized users to bypass access controls and potentially access sensitive files, folders, or database interactions without proper authentication.

Such unauthorized access to sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Because the vulnerability falls under the OWASP Top 10 category of Broken Access Control, it directly impacts the security controls that these regulations mandate.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart