WordPress Plugin Vulnerabilities

The School Management < 4.2 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affects Plugins

Plugin icon
school-management-system
Fixed in 4.2

References

CVE
CVE-2022-47430

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
b7bfcde3-c5b5-4dbf-a67f-306bf593d0b5

Timeline

Publicly Published
2023-04-19 (about 3 years ago)
Added
2023-11-17 (about 2 years ago)
Last Updated
2023-11-17 (about 2 years ago)

Other

Published
Title
Published
2026-03-20
Title
Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter
Published
2022-11-09
Title
WP CSV Exporter < 1.3.7 - Admin+ SQLi
Published
2025-07-15
Title
ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes < 1.5.0 - Authenticated (Subscriber+) SQL Injection
Published
2014-08-01
Title
blogVault 1.05 - admin.php blogVault Key Setting CSRF
Published
2024-07-19
Title
UiPress lite < 3.4.07 - Authenticated (Administrator+) SQL Injection