CVE-2024-12609 is a SQL Injection vulnerability classified under CWE-89, found in the dasinfomedia School Management System plugin for WordPress. The issue exists in the mj_smgt_view_student_attendance() function, which handles the 'view-attendance' page. The vulnerability stems from insufficient escaping and lack of prepared statements for user-supplied input parameters, allowing authenticated users with Student-level or higher privileges to inject arbitrary SQL code. This injection enables attackers to append additional SQL queries to the existing ones, potentially extracting sensitive information from the backend database. The vulnerability affects all versions up to and including 92.0.0 of the plugin. The CVSS 3.1 base score is 6.5, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network exploitable with low attack complexity, requiring privileges but no user interaction, and causing high confidentiality impact without affecting integrity or availability. No patches or official fixes have been published yet, and no known exploits have been observed in the wild. The vulnerability poses a significant risk to the confidentiality of data managed by the plugin, especially in educational institutions relying on this system for student attendance and related records.

The primary impact of CVE-2024-12609 is unauthorized disclosure of sensitive information stored in the database of the School Management System plugin. Attackers with authenticated access at the Student level or above can exploit the SQL Injection vulnerability to extract confidential data such as student records, attendance logs, and potentially other sensitive information stored within the WordPress database. This breach of confidentiality can lead to privacy violations, regulatory non-compliance (e.g., FERPA in the US, GDPR in Europe), reputational damage, and potential legal consequences for affected organizations. Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the exposure of sensitive educational data can be highly damaging. The ease of exploitation (low complexity, network accessible) combined with the widespread use of WordPress and this plugin in educational environments globally increases the risk profile. Organizations that do not restrict access or monitor authenticated user actions are particularly vulnerable.

1. Immediate mitigation involves restricting access to the 'view-attendance' page and related functionalities to only trusted and necessary user roles, minimizing the number of users with Student-level or higher privileges. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the vulnerable parameter. 3. Monitor database query logs and application logs for unusual or suspicious SQL query patterns indicative of injection attempts. 4. If possible, disable or remove the dasinfomedia School Management System plugin until a security patch is released. 5. Encourage the vendor to release a patch that properly uses parameterized queries or prepared statements to sanitize user inputs in the mj_smgt_view_student_attendance() function. 6. Educate administrators and users about the risks of SQL Injection and the importance of least privilege principles. 7. Regularly back up databases and ensure backups are secure to mitigate potential future risks. 8. Conduct penetration testing and code reviews on custom or third-party WordPress plugins to identify similar vulnerabilities proactively.