The vulnerability identified as CVE-2024-9637 affects the School Management System – WPSchoolPress plugin for WordPress, versions up to and including 2.2.10. The root cause is an authorization bypass due to improper validation of user identity when updating user details such as email addresses. Authenticated users with teacher-level access or higher can exploit this flaw to modify the email addresses of any user, including administrators. By changing an administrator's email, the attacker can trigger a password reset process, gaining unauthorized access to the administrator account and escalating privileges. This vulnerability is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. No patches were linked at the time of reporting, and no active exploits have been observed in the wild. The vulnerability poses a significant risk to the security of educational institutions and organizations relying on this plugin for managing sensitive user data and administrative functions.

The impact of CVE-2024-9637 is substantial for organizations using the WPSchoolPress plugin. Successful exploitation allows attackers to take over administrator accounts, leading to full control over the affected WordPress site. This can result in unauthorized access to sensitive student and staff data, manipulation or deletion of records, disruption of school management operations, and potential deployment of further malicious activities such as malware installation or ransomware. The breach of administrator credentials compromises the entire site’s security posture, potentially affecting all users and integrated systems. Given the plugin’s role in managing educational environments, the confidentiality, integrity, and availability of critical educational data and services are at high risk. The ease of exploitation by users with teacher-level privileges exacerbates the threat, as such accounts are commonly present in school environments.

Immediate mitigation steps include restricting teacher-level user privileges to the minimum necessary and monitoring account activities for suspicious email changes or password reset requests. Administrators should enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of account takeover. Network-level protections like web application firewalls (WAFs) can be configured to detect and block anomalous requests attempting to modify user emails. Since no official patch was available at the time of reporting, organizations should closely monitor vendor communications for updates and apply patches promptly once released. Additionally, conducting regular audits of user accounts and access logs can help identify exploitation attempts early. If possible, temporarily disabling or limiting the plugin’s user update functionality until a fix is applied can reduce exposure. Educating staff about the risks of privilege misuse and ensuring least privilege principles are enforced will further mitigate risk.