CVE-2024-12610 identifies a missing authorization vulnerability (CWE-862) in the dasinfomedia School Management System plugin for WordPress, affecting all versions up to 93.0.0. The flaw exists because the plugin fails to perform capability checks on two AJAX actions: 'mj_smgt_remove_feetype' and 'mj_smgt_remove_category_new'. These AJAX endpoints are intended to allow authorized users to remove fee types and categories within the school management system. However, due to the missing authorization, unauthenticated attackers can invoke these actions remotely to delete arbitrary posts on the WordPress site. This unauthorized deletion compromises data integrity by allowing attackers to remove content without permission. The vulnerability does not affect confidentiality or availability directly, as it does not expose sensitive data or cause denial of service. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation (no authentication or user interaction required) but limited impact scope (integrity loss only). No patches were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability is particularly concerning for educational institutions using this plugin to manage critical school data, as unauthorized deletions could disrupt operations or cause data loss. Detection and mitigation require monitoring AJAX requests and ensuring proper authorization checks are enforced on these endpoints.

The primary impact of CVE-2024-12610 is unauthorized data deletion, which affects the integrity of the affected WordPress sites using the dasinfomedia School Management System plugin. Organizations relying on this plugin, especially educational institutions, may face operational disruptions if critical fee types or category data are deleted maliciously. Although the vulnerability does not expose confidential information or cause denial of service, the loss of data integrity can lead to administrative overhead, loss of trust, and potential compliance issues if records are altered or removed without authorization. The ease of exploitation—requiring no authentication or user interaction—means attackers can remotely target vulnerable sites at scale. This could lead to widespread defacement or data manipulation campaigns against educational websites. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability remains a significant risk until patched or mitigated. Organizations with public-facing WordPress sites using this plugin are particularly vulnerable to automated attacks or opportunistic attackers scanning for this flaw.

1. Apply official patches or updates from dasinfomedia as soon as they become available to ensure proper authorization checks are implemented on the vulnerable AJAX actions. 2. In the absence of patches, restrict access to the affected AJAX endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests targeting 'mj_smgt_remove_feetype' and 'mj_smgt_remove_category_new'. 3. Limit plugin usage to trusted administrators and disable or remove the plugin if it is not essential to reduce attack surface. 4. Monitor web server and WordPress logs for suspicious AJAX requests or unusual deletion activities related to fee types and categories. 5. Conduct regular backups of WordPress content and database to enable recovery from unauthorized deletions. 6. Employ principle of least privilege for WordPress user roles to minimize damage if exploitation occurs. 7. Consider deploying security plugins that can detect and block unauthorized AJAX calls or anomalous behavior. 8. Educate site administrators about the risks of unauthorized plugin actions and encourage timely updates.