CVE-2026-39631

The WPSchoolPress plugin for WordPress versions up to 2.2.35 contains a Missing Authorization vulnerability. This is a broken access control issue where the plugin fails to properly validate user capabilities before allowing access to certain functions, effectively exposing incorrectly configured access control security levels [1].

Exploitation requires no special privileges, as the missing authorization check means that an unauthenticated attacker or a user with minimal permissions can trigger higher-privileged actions. The attack surface is broad because the vulnerability can be exploited remotely over the network without authentication, and the low complexity of exploitation makes it suitable for mass campaigns targeting thousands of sites [1].

A successful attacker could gain unauthorized access to administrative functions, modify data, or perform other actions that should be restricted. The CVSS score of 4.9 reflects a medium severity impact, but the real-world risk is elevated due to the ease of exploitation and the plugin's widespread use in educational environments [1].

Mitigation is straightforward: update the plugin to version 2.2.36 or later. If immediate updating is not possible, administrators should restrict access to the plugin's pages via web application firewall rules or consult their hosting provider for additional protections [1].