CVE-2025-47613

Vulnerability

Overview

The School Management WordPress plugin, through version 92.0.0, fails to properly neutralize user-supplied input during web page generation. This flaw constitutes a reflected Cross-Site Scripting (XSS) vulnerability [1]. The root cause is the lack of sanitization or escaping of input that is immediately reflected back to the user's browser.

Exploitation

Path

An attacker can exploit this vulnerability by crafting a malicious link or form that, when interacted with by a privileged user (such as a site administrator), executes arbitrary JavaScript in the victim's browser. The attack does not require authentication from the attacker, but it does rely on user interaction from a user who has some level of privileges [1]. The exploitation is straightforward and can be automated, making it suitable for mass campaigns targeting thousands of sites [1].

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the context of the vulnerable website. This can be used to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing pages [1]. The CVSS v3 base score is 7.1 (High), reflecting the potential for significant impact with relatively low attack complexity [1].

Mitigation

The vendor has not yet released an official patch, but Patchstack provides a mitigation rule that can block attacks until a fix is available and safely applied. Users are strongly advised to update the plugin to a patched version once released. If updating is not immediately possible, consulting with a hosting provider or web developer for temporary workarounds is recommended [1].