CVE-2025-1667
Published: 15 March 2025
Description
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Security Summary
CVE-2025-1667 is a privilege escalation vulnerability in the School Management System – WPSchoolPress plugin for WordPress, stemming from a missing capability check in the wpsp_UpdateTeacher() function. It affects all versions up to and including 2.2.16. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization).
Authenticated attackers with teacher-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By calling the vulnerable function, they can update arbitrary user details, including email addresses, enabling them to request password resets and subsequently gain unauthorized access to any user account, including administrator accounts.
References include code excerpts from the WordPress plugin trac repository, highlighting line 544 in the vulnerable version 2.2.16 (wpsp-ajaxworks-teacher.php) and the subsequent version 2.2.17, indicating a potential patch introduction. The Wordfence threat intelligence page provides further details on the vulnerability (ID: e54f98bc-c538-4f3c-b24a-6e778a3748ef).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The missing authorization check in wpsp_UpdateTeacher() directly enables T1068 (Exploitation for Privilege Escalation) by allowing low-privileged authenticated users to escalate to admin via arbitrary account updates, and facilitates T1098 (Account Manipulation) by permitting modification of user details like email addresses to hijack accounts through password resets.