CVE-2024-9658

CVE-2024-9658 is a privilege escalation vulnerability via account takeover in the School Management System plugin for WordPress, affecting all versions up to and including 93.0.0. The issue stems from the plugin's failure to properly validate a user's identity before updating their details, such as email and password, through the mj_smgt_update_user() and mj_smgt_add_admission() functions, combined with a local file inclusion vulnerability. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).

Authenticated attackers with student-level access or higher can exploit this vulnerability remotely over the network with low complexity. By leveraging the flawed functions, they can arbitrarily change any user's email address and password, including those of administrators, enabling full account takeover and escalation to higher privileges.

Advisories from Wordfence detail the vulnerability in their threat intelligence report, while the plugin's Codecanyon page provides general information on the School Management System. No patches or mitigations are available, as the vulnerability remains unaddressed despite outreach four months prior to public disclosure on March 7, 2025.

The flaw was escalated publicly after no response from the plugin maintainers, leaving installations exposed with no known fixes.