Cyber Resilience

CVE-2025-1667

High

Published: 15 March 2025

Published
15 March 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1667 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Igexsolutions Wpschoolpress. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1667 is a privilege escalation vulnerability in the School Management System – WPSchoolPress plugin for WordPress, stemming from a missing capability check in the wpsp_UpdateTeacher() function. It affects all versions up to and including 2.2.16. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization).

Authenticated attackers with teacher-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By calling the vulnerable function, they can update arbitrary user details, including email addresses, enabling them to request password resets and subsequently gain unauthorized access to any user account, including administrator accounts.

References include code excerpts from the WordPress plugin trac repository, highlighting line 544 in the vulnerable version 2.2.16 (wpsp-ajaxworks-teacher.php) and the subsequent version 2.2.17, indicating a potential patch introduction. The Wordfence threat intelligence page provides further details on the vulnerability (ID: e54f98bc-c538-4f3c-b24a-6e778a3748ef).

EU & UK References

Vulnerability details

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with…

more

teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

The missing authorization check in wpsp_UpdateTeacher() directly enables T1068 (Exploitation for Privilege Escalation) by allowing low-privileged authenticated users to escalate to admin via arbitrary account updates, and facilitates T1098 (Account Manipulation) by permitting modification of user details like email addresses to hijack accounts through password resets.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25654Shared CWE-639
CVE-2026-25045Shared CWE-862
CVE-2024-13677Shared CWE-862
CVE-2026-4261Shared CWE-862
CVE-2026-35182Shared CWE-862
CVE-2026-5465Shared CWE-639
CVE-2026-7802Shared CWE-862
CVE-2025-8310Shared CWE-862
CVE-2025-15096Shared CWE-639
CVE-2025-8322Shared CWE-862

Affected Assets

igexsolutions
wpschoolpress
≤ 2.2.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check in wpsp_UpdateTeacher() that allows unauthorized user detail updates.

prevent

Requires timely identification, reporting, and remediation of flaws like the authorization bypass in the WPSchoolPress plugin, preventing exploitation across affected versions.

prevent

Employs least privilege to limit teacher-level accounts from performing actions like updating arbitrary user emails, mitigating escalation potential despite the bypass.

References