CVE-2024-9658
Published: 07 March 2025
Summary
CVE-2024-9658 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Dasinfomedia School Management System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly preventing low-privilege authenticated users from updating arbitrary user emails and passwords via the vulnerable mj_smgt_update_user() and mj_smgt_add_admission() functions.
Requires identity verification prior to managing and changing authenticators such as passwords and emails, countering the authentication bypass that enables account takeover of administrators.
Establishes secure procedures for modifying accounts including approvals and notifications, mitigating unauthorized changes to user details that lead to privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly a privilege escalation via unauthorized account modification (password/email changes) in a public-facing WordPress plugin, allowing low-privileged authenticated users to take over admin accounts.
NVD Description
The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity prior to updating…
more
their details like email and password through the mj_smgt_update_user() and mj_smgt_add_admission() functions, along with a local file inclusion vulnerability. This makes it possible for authenticated attackers, with student-level access and above, to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account. This was escalated four months ago after no response to our initial outreach, yet it still vulnerable.
Deeper analysisAI
CVE-2024-9658 is a privilege escalation vulnerability via account takeover in the School Management System plugin for WordPress, affecting all versions up to and including 93.0.0. The issue stems from the plugin's failure to properly validate a user's identity before updating their details, such as email and password, through the mj_smgt_update_user() and mj_smgt_add_admission() functions, combined with a local file inclusion vulnerability. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).
Authenticated attackers with student-level access or higher can exploit this vulnerability remotely over the network with low complexity. By leveraging the flawed functions, they can arbitrarily change any user's email address and password, including those of administrators, enabling full account takeover and escalation to higher privileges.
Advisories from Wordfence detail the vulnerability in their threat intelligence report, while the plugin's Codecanyon page provides general information on the School Management System. No patches or mitigations are available, as the vulnerability remains unaddressed despite outreach four months prior to public disclosure on March 7, 2025.
The flaw was escalated publicly after no response from the plugin maintainers, leaving installations exposed with no known fixes.
Details
- CWE(s)