WPSchoolPress WordPress Plugin Privilege Escalation Vulnerability Allowing Account Takeover

A privilege escalation vulnerability has been identified in the WPSchoolPress WordPress plugin, specifically in the School Management System version 2.2.16 and prior. The issue arises from a missing capability check in the 'wpsp_UpdateTeacher()' function, which allows authenticated attackers with teacher-level access or higher to modify user details, including email addresses. This exploitation could lead to unauthorized access to user accounts, such as administrators, by facilitating a password reset request.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, allowing attackers to access and control user accounts, including those of administrators.

Reproduction

To reproduce this vulnerability, an authenticated user with teacher-level access or higher can send a request to the 'wpsp_UpdateTeacher()' function without the necessary capability check. This can be done by including the 'tregister_nonce' in the request to bypass the nonce verification, and then providing the details of the user to be updated, such as the email address. The absence of proper authorization checks will allow the attacker to modify the user's email, enabling a password reset request and access to the user's account.