CVE-2025-3740
Published: 18 July 2025
Summary
CVE-2025-3740 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the LFI vulnerability by requiring validation and sanitization of the untrusted 'page' parameter to prevent arbitrary file inclusion and execution.
Addresses the specific flaw in the School Management System plugin by requiring timely patching to the fixed version 1.93.1, eliminating the vulnerable code.
Limits exploitation impact and privilege escalation from Subscriber-level access by enforcing least privilege, restricting low-privilege users from performing unauthorized file access or admin password updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables T1190 exploitation leading to RCE; explicit chaining for password update enables T1068; arbitrary PHP file execution facilitates web shell deployment (T1505.003).
NVD Description
The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 93.1.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
more
include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One such chain can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. The vendor has updated the version numbers beginning with `1.93.1 (02-07-2025)` for the patched version. This version comes after version 93.1.0.
Deeper analysisAI
CVE-2025-3740 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the School Management System plugin for WordPress in all versions up to and including 93.1.0. The flaw arises from inadequate sanitization of the 'page' parameter, enabling the inclusion and execution of arbitrary files on the server.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute arbitrary PHP code from included files, bypassing access controls, extracting sensitive data, or achieving remote code execution by chaining with uploads of images or other "safe" file types containing PHP payloads. In WordPress Multisite environments, attackers can chain the LFI to include plugin dashboard view files and update Super Administrator passwords, enabling privilege escalation.
The vendor addressed the issue in version 1.93.1, released on 02-07-2025, which follows 93.1.0. Mitigation details are available in the plugin's update history on CodeCanyon and Wordfence's threat intelligence advisory. Security practitioners should update to the patched version and review access to Subscriber roles.
Details
- CWE(s)