The School Management System WordPress plugin before 2.2.5 uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers.
CPE | Name | Operator | Version |
---|---|---|---|
wpschoolpress | lt | 2.2.5 |