CVE-2025-3740 is a high-severity vulnerability affecting the dasinfomedia School Management System plugin for WordPress, specifically versions up to and including 93.1.0. The vulnerability is classified as a CWE-22 Path Traversal flaw that enables Local File Inclusion (LFI) via the 'page' parameter. Authenticated attackers with Subscriber-level privileges or higher can exploit this flaw to include and execute arbitrary files on the server. This includes the execution of arbitrary PHP code embedded in files uploaded to the server, even if these files are ostensibly 'safe' types such as images. The vulnerability allows attackers to bypass access controls and access sensitive data. Furthermore, the LFI can be chained to include various dashboard view files within the plugin, which in multisite WordPress environments can be leveraged to escalate privileges by updating the password of Super Administrator accounts. This effectively allows attackers to gain full administrative control over the WordPress multisite installation. The vulnerability requires authentication but no user interaction beyond that. The vendor addressed this issue in version 1.93.1, released on 2 July 2025, which supersedes version 93.1.0. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and network attack vector. No known exploits in the wild have been reported yet, but the potential for severe impact is significant given the ability to achieve remote code execution and privilege escalation within WordPress multisite environments.

For European organizations using the dasinfomedia School Management System plugin on WordPress, this vulnerability poses a critical risk. Exploitation can lead to unauthorized disclosure of sensitive educational data, including student records and administrative information, violating data protection regulations such as the GDPR. The ability to execute arbitrary code and escalate privileges to Super Administrator level threatens the integrity and availability of the entire WordPress multisite network, potentially resulting in full site compromise, defacement, or persistent backdoors. Educational institutions, government agencies, and private organizations managing school data are particularly at risk. The breach of confidentiality and integrity could lead to reputational damage, legal penalties, and operational disruptions. Since the vulnerability requires only subscriber-level authentication, attackers could exploit compromised or weak user credentials or social engineering to gain initial access, making the threat more feasible. The multisite privilege escalation aspect amplifies the impact by allowing attackers to control multiple sites within a network from a single exploit.

European organizations should urgently update the dasinfomedia School Management System plugin to version 1.93.1 or later, which contains the patch for this vulnerability. Until the update is applied, organizations should restrict plugin access to trusted users only and monitor for unusual activity from subscriber-level accounts. Implement strict password policies and multi-factor authentication to reduce the risk of credential compromise. Conduct regular audits of user roles and permissions to ensure no unauthorized privilege escalation is possible. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal and LFI attempts targeting the 'page' parameter. Additionally, disable or restrict file uploads where possible, or enforce strict file type validation and scanning to prevent malicious PHP code uploads disguised as images or other safe file types. For multisite WordPress environments, monitor for unexpected changes to Super Administrator accounts and implement alerting mechanisms for password changes or privilege escalations. Backup WordPress sites regularly and verify backup integrity to enable recovery in case of compromise.