CVE-2025-3740 is a critical Local File Inclusion vulnerability in the dasinfomedia School Management System plugin for WordPress, identified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The flaw exists in the handling of the 'page' parameter, which fails to properly sanitize input, allowing authenticated users with Subscriber-level privileges or higher to traverse directories and include arbitrary files on the server. This inclusion can lead to execution of arbitrary PHP code embedded in those files, effectively enabling remote code execution (RCE). The vulnerability can be exploited without user interaction beyond authentication, and attackers can chain the LFI to include various dashboard view files. Notably, in WordPress Multisite environments, this can be leveraged to update Super Administrator passwords, resulting in severe privilege escalation. The vulnerability affects all plugin versions up to and including 93.1.0, with a patched version 1.93.1 released on February 7, 2025. The CVSS v3.1 base score is 8.8, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. Although no known exploits are reported in the wild yet, the vulnerability's nature and impact make it a critical risk for affected WordPress sites, especially educational institutions using this plugin for school management.

The impact of CVE-2025-3740 is significant for organizations using the dasinfomedia School Management System plugin on WordPress. Exploitation allows attackers with minimal privileges (Subscriber-level) to execute arbitrary code on the web server, potentially leading to full system compromise. This includes bypassing access controls, stealing sensitive data such as student records, and modifying or deleting critical information. In WordPress Multisite setups, attackers can escalate privileges to Super Administrator level by resetting passwords, gaining control over all sites in the network. This can disrupt educational operations, lead to data breaches involving personally identifiable information (PII), and damage organizational reputation. The ease of exploitation and the broad scope of affected versions increase the risk of widespread attacks, particularly targeting educational institutions relying on this plugin for critical administrative functions.

Organizations should immediately update the dasinfomedia School Management System plugin to version 1.93.1 or later, which contains the patch for this vulnerability. Until the update is applied, restrict access to the WordPress admin area to trusted users only and consider implementing Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'page' parameter for path traversal. Review and tighten user role assignments to minimize the number of users with Subscriber-level or higher privileges. Monitor logs for unusual file inclusion attempts or unexpected changes to administrator accounts, especially in Multisite environments. Additionally, conduct a thorough audit of uploaded files and server directories to detect any unauthorized PHP files or modifications. Employ security plugins that can detect LFI attempts and consider disabling or restricting file upload capabilities if not essential. Finally, educate administrators and users about the risks and signs of exploitation to enable rapid incident response.