Cyber Resilience

CVE-2025-3740

High

Published: 18 July 2025

Published
18 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0058 69.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3740 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-3740 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the School Management System plugin for WordPress in all versions up to and including 93.1.0. The flaw arises from inadequate sanitization of the 'page' parameter, enabling the inclusion and execution of arbitrary files on the server.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute arbitrary PHP code from included files, bypassing access controls, extracting sensitive data, or achieving remote code execution by chaining with uploads of images or other "safe" file types containing PHP payloads. In WordPress Multisite environments, attackers can chain the LFI to include plugin dashboard view files and update Super Administrator passwords, enabling privilege escalation.

The vendor addressed the issue in version 1.93.1, released on 02-07-2025, which follows 93.1.0. Mitigation details are available in the plugin's update history on CodeCanyon and Wordfence's threat intelligence advisory. Security practitioners should update to the patched version and review access to Subscriber roles.

EU & UK References

Vulnerability details

The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 93.1.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…

more

include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One such chain can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. The vendor has updated the version numbers beginning with `1.93.1 (02-07-2025)` for the patched version. This version comes after version 93.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress plugin directly enables T1190 exploitation leading to RCE; explicit chaining for password update enables T1068; arbitrary PHP file execution facilitates web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-3671Shared CWE-22
CVE-2025-40738Shared CWE-22
CVE-2025-40737Shared CWE-22
CVE-2024-55415Shared CWE-22
CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2025-62630Shared CWE-22
CVE-2019-25471Shared CWE-22

Affected Assets

This
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the LFI vulnerability by requiring validation and sanitization of the untrusted 'page' parameter to prevent arbitrary file inclusion and execution.

prevent

Addresses the specific flaw in the School Management System plugin by requiring timely patching to the fixed version 1.93.1, eliminating the vulnerable code.

prevent

Limits exploitation impact and privilege escalation from Subscriber-level access by enforcing least privilege, restricting low-privilege users from performing unauthorized file access or admin password updates.

References