WP-Safety

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Security & Risk Analysis

wordpress.org/plugins/coschool

A complete LMS toolkit. Simple and complete.

40 active installs v1.4.3 PHP 7.4+ WP 6.0+ Updated Jun 3, 2025
courseeducationlearninglearning-management-systemlms
36
D · High Risk
CVEs total3
Unpatched3
Last CVEJul 14, 2025
Plugin page Download
Safety Verdict

Is CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Safe to Use in 2026?

High Risk

Score 36/100

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online carries significant security risk with 3 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 3 unpatched Last CVE: Jul 14, 2025Updated 10mo ago
Risk Assessment

The "coschool" plugin v1.4.3 presents a significant security risk due to its extensive attack surface and a history of severe vulnerabilities. A concerning 25 AJAX handlers lack authentication checks, creating numerous direct entry points for attackers. This is exacerbated by 6 high-severity taint flows with unsanitized paths, indicating potential for code execution or data manipulation if an attacker can control the input to these flows. The presence of the `unserialize` function, a known dangerous function, further amplifies the risk of deserialization vulnerabilities, especially when combined with unsanitized input.

The plugin's vulnerability history is particularly alarming, with 3 known CVEs, all of which remain unpatched. This includes one critical and one high-severity vulnerability, along with a medium one. The common types of these past vulnerabilities – SQL Injection, Deserialization of Untrusted Data, and Missing Authorization – directly align with the critical findings from the static analysis. This pattern suggests recurring security flaws that have not been adequately addressed, indicating a lack of consistent security patching and development practices.

While the plugin demonstrates some good practices, such as using prepared statements for most SQL queries and a high percentage of properly escaped output, these strengths are heavily overshadowed by the critical security concerns. The large number of unprotected AJAX endpoints, coupled with the history of unpatched critical vulnerabilities and the presence of dangerous functions, makes this plugin a high-risk component. It is strongly recommended to avoid using this plugin until all identified vulnerabilities are patched and a thorough security audit is conducted.

Key Concerns

  • 25 unprotected AJAX handlers
  • 6 high severity taint flows
  • Dangerous function: unserialize
  • 3 unpatched CVEs
  • 1 critical unpatched CVE
  • 1 high unpatched CVE
  • 12 flows with unsanitized paths
Vulnerabilities
3

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Security Vulnerabilities

CVEs by Year

1 CVE in 2024 · unpatched
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
1

3 total CVEs

CVE-2025-60239medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CoSchool LMS <= 1.4.3 - Authenticated (Subscriber+) SQL Injection

Jul 14, 2025Unpatched
CVE-2025-30973high · 8.1Deserialization of Untrusted Data

CoSchool LMS <= 1.4.3 - Unauthenticated PHP Object Injection

Jul 7, 2025Unpatched
CVE-2024-54296critical · 9.8Missing Authorization

CoSchool LMS <= 1.4- Missing Authorization to Privilege Escalation

Dec 11, 2024Unpatched
Code Analysis
Analyzed Mar 16, 2026

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Code Analysis

Dangerous Functions
2
Raw SQL Queries
2
59 prepared
Unescaped Output
111
358 escaped
Nonce Checks
18
Capability Checks
14
File Operations
0
External Requests
4
Bundled Libraries
0

Dangerous Functions Found

unserializereturn unserialize( stripslashes( coschool_sanitize( $_COOKIE[ $this->cart_key ] ) ) );app\Payment\Cart.php:53
unserializereturn unserialize( $wishlist );app\Student\Data.php:225

SQL Query Safety

97% prepared61 total queries

Output Escaping

76% escaped469 total outputs
Data Flows
12 unsanitized

Data Flow Analysis

17 flows12 with unsanitized paths
payment_form (app\Payment\Provider\Native\PayPal.php:213)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
25 unprotected

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Attack Surface

Entry Points25
Unprotected25

AJAX Handlers 25

authwp_ajax_create-new-assignmentapp\Assignment.php:51
authwp_ajax_assignment-removeapp\Assignment.php:52
authwp_ajax_coschool-submit-assignmentapp\Assignment.php:53
authwp_ajax_coschool-apply-couponapp\Coupon.php:44
noprivwp_ajax_coschool-apply-couponapp\Coupon.php:45
authwp_ajax_course-reviewapp\Course.php:43
authwp_ajax_wishlistapp\Course.php:44
authwp_ajax_coschool-enrollment-approvalapp\Enrollment.php:38
authwp_ajax_update-profileapp\Instructor.php:38
authwp_ajax_review-replyapp\Instructor.php:39
authwp_ajax_create-courseapp\Instructor.php:40
authwp_ajax_edit-courseapp\Instructor.php:41
authwp_ajax_edit-quizapp\Instructor.php:42
authwp_ajax_edit-assignmentapp\Instructor.php:43
authwp_ajax_create-lessonapp\Instructor.php:44
authwp_ajax_coschool-delete-courseapp\Instructor.php:46
authwp_ajax_create-new-lessonapp\Lesson.php:44
authwp_ajax_mark-completeapp\Lesson.php:45
authwp_ajax_create-new-quizapp\Quiz.php:44
authwp_ajax_coschool-start-quizapp\Quiz.php:45
authwp_ajax_coschool-quiz-submitapp\Quiz.php:46
authwp_ajax_coschool-attempt-pointapp\Quiz.php:47
authwp_ajax_coschool-attempt-feedbackapp\Quiz.php:48
authwp_ajax_periodic-itemapp\Report.php:40
authwp_ajax_update-profileapp\Student.php:38
WordPress Hooks 87
filtercoschool_content_tabsapp\Assignment.php:28
actionwp_enqueue_scriptsapp\Assignment.php:33
actioninitapp\Assignment.php:38
actionmanage_assignment_posts_columnsapp\Assignment.php:39
actionmanage_assignment_posts_custom_columnapp\Assignment.php:40
actionadmin_menuapp\Assignment.php:41
actionsubmenu_fileapp\Assignment.php:42
filterpost_type_linkapp\Assignment.php:43
filterthe_contentapp\Assignment.php:44
filterpost_updated_messagesapp\Assignment.php:45
filterbulk_post_updated_messagesapp\Assignment.php:46
actionadmin_initapp\Assignment.php:58
actioncx-settings-before-fieldsapp\Assignment.php:59
actionplugins_loadedapp\Assignment.php:64
actioninitapp\Coupon.php:38
actionmanage_coupon_posts_columnsapp\Coupon.php:39
actionmanage_coupon_posts_custom_columnapp\Coupon.php:40
filterpost_updated_messagesapp\Coupon.php:41
filterbulk_post_updated_messagesapp\Coupon.php:42
actionadmin_initapp\Coupon.php:47
actioninitapp\Course.php:36
actionmanage_course_posts_columnsapp\Course.php:37
actionmanage_course_posts_custom_columnapp\Course.php:38
filterpost_updated_messagesapp\Course.php:39
filterbulk_post_updated_messagesapp\Course.php:40
actioninitapp\Course.php:42
actionadmin_initapp\Course.php:46
actionadd_meta_boxesapp\Course.php:47
actionsave_post_courseapp\Course.php:48
actionwp_headapp\Course.php:49
actionadmin_enqueue_scriptsapp\CourseBundle.php:22
actionadmin_initapp\CourseBundle.php:23
actionsave_post_bundleapp\CourseBundle.php:24
filterpost_updated_messagesapp\CourseBundle.php:25
filterbulk_post_updated_messagesapp\CourseBundle.php:26
actionwp_enqueue_scriptsapp\CourseBundle.php:32
actioninitapp\CourseBundle.php:39
actionmanage_bundle_posts_columnsapp\CourseBundle.php:40
actionmanage_bundle_posts_custom_columnapp\CourseBundle.php:41
actionadmin_menuapp\Enrollment.php:36
actioncoschool_content_completedapp\Enrollment.php:37
actioninitapp\Instructor.php:36
actioninitapp\Lesson.php:36
actionmanage_lesson_posts_columnsapp\Lesson.php:37
actionmanage_lesson_posts_custom_columnapp\Lesson.php:38
filterpost_type_linkapp\Lesson.php:39
filterthe_contentapp\Lesson.php:40
filterpost_updated_messagesapp\Lesson.php:41
filterbulk_post_updated_messagesapp\Lesson.php:42
actionadmin_initapp\Lesson.php:47
actioncx-settings-before-fieldsapp\Lesson.php:48
actionadmin_menuapp\Payment.php:39
actioninitapp\Payment.php:41
actioncoschool-enroll_form_submittedapp\Payment.php:42
actioncoschool_course_enrollapp\Payment.php:43
actioninitapp\Payment.php:51
actionwp_footerapp\Payment.php:52
actioncoschool_payment_form_paypalapp\Payment.php:53
filtercoschool_paypal_payment_idapp\Payment.php:54
filtercoschool_payment_paypal_configapp\Payment.php:55
filtercoschool_test-payment_payment_idapp\Payment.php:59
actioninitapp\Question.php:36
actionmanage_question_posts_columnsapp\Question.php:37
actionmanage_question_posts_custom_columnapp\Question.php:38
actionadd_meta_boxesapp\Question.php:40
actioninitapp\Quiz.php:36
actionmanage_quiz_posts_columnsapp\Quiz.php:37
actionmanage_quiz_posts_custom_columnapp\Quiz.php:38
filterpost_type_linkapp\Quiz.php:39
filterthe_contentapp\Quiz.php:40
filterpost_updated_messagesapp\Quiz.php:41
filterbulk_post_updated_messagesapp\Quiz.php:42
actionadd_meta_boxesapp\Quiz.php:50
actionadmin_initapp\Quiz.php:51
actioncx-settings-before-fieldsapp\Quiz.php:52
actionsave_post_quizapp\Quiz.php:53
actionadmin_menuapp\Quiz.php:55
actionsubmenu_fileapp\Quiz.php:56
actionadmin_menuapp\Report.php:36
filtercoschool-admin-localizedapp\Report.php:37
filtercoschool-localized-quizapp\Report.php:38
filtercoschool-localized-quizapp\Report.php:39
actionphpmailer_initapp\Smtp\Email.php:18
filtercoschool_settingsapp\Smtp.php:20
actionplugins_loadedapp\Smtp.php:25
actioninitapp\Student.php:36
actionadmin_menuapp\Student.php:37

Scheduled Events 1

codexpert-daily
Maintenance & Trust

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 3, 2025
PHP min version7.4
Downloads4K

Community Trust

Rating100/100
Number of ratings2
Active installs40
Alternatives

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Alternatives

Tutor LMS – eLearning and online course solution

Tutor LMS – eLearning and online course solution

tutor

B
75

A complete WordPress LMS plugin to create any eLearning website easily.

100K 60 CVEs
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

learnpress

B
76

A WordPress LMS Plugin to create WordPress Learning Management System. Turn your WordPress to LMS WordPress Website with Courses, Lessons, Quizzes &am &hellip;

80K 63 CVEs
MasterStudy LMS WordPress Plugin – for Online Courses and Education

MasterStudy LMS WordPress Plugin – for Online Courses and Education

masterstudy-lms-learning-management-system

B
76

Learning Management System and eLearning plugin for WordPress. Create easily LMS WordPress website, add and sell Courses, Lessons, Quizzes online.

10K 24 CVEs
Masteriyo LMS – Online Course Builder for eLearning, LMS & Education

Masteriyo LMS – Online Course Builder for eLearning, LMS & Education

learning-management-system

A
86

The complete WordPress LMS plugin for course creation & monetization. Create engaging courses, lessons, quizzes, assignments & certificates.

4K 10 CVEs
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

academy

B
81

Academy LMS is the all-rounder among all WordPress LMS plugins. A complete solution, easy to use, feature-rich and provides powerful integrations.

2K 11 CVEs
Developer Profile

CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online Developer Profile

Codexpert, Inc

10 plugins · 41K total installs

75
trust score
Avg Security Score
81/100
Avg Patch Time
39 days
View full developer profile
Detection Fingerprints

How We Detect CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/coschool/assets/css/frontend.css/wp-content/plugins/coschool/assets/css/frontend.min.css/wp-content/plugins/coschool/assets/css/backend.css/wp-content/plugins/coschool/assets/css/backend.min.css/wp-content/plugins/coschool/assets/js/frontend.js/wp-content/plugins/coschool/assets/js/frontend.min.js/wp-content/plugins/coschool/assets/js/backend.js/wp-content/plugins/coschool/assets/js/backend.min.js+2 more
Version Parameters
coschool/assets/css/frontend.css?ver=coschool/assets/css/frontend.min.css?ver=coschool/assets/css/backend.css?ver=coschool/assets/css/backend.min.css?ver=coschool/assets/js/frontend.js?ver=coschool/assets/js/frontend.min.js?ver=coschool/assets/js/backend.js?ver=coschool/assets/js/backend.min.js?ver=coschool/assets/fonts/fontello.css?ver=coschool/assets/fonts/fontello.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
coschool-enrollcoschool-dashboardcoschool-logincoschool-courses
Data Attributes
data-coschool-id
JS Globals
coschool_vars
REST Endpoints
/wp-json/coschool/v1/get_courses/wp-json/coschool/v1/course_details/wp-json/coschool/v1/get_lessons/wp-json/coschool/v1/lesson_details/wp-json/coschool/v1/get_quizzes/wp-json/coschool/v1/quiz_details/wp-json/coschool/v1/submit_quiz/wp-json/coschool/v1/get_assignments/wp-json/coschool/v1/assignment_details/wp-json/coschool/v1/submit_assignment/wp-json/coschool/v1/get_certificates/wp-json/coschool/v1/enroll_course/wp-json/coschool/v1/unenroll_course/wp-json/coschool/v1/user_progress/wp-json/coschool/v1/course_enrollment_status
Shortcode Output
[coschool_enroll][coschool_dashboard][coschool_login][coschool_courses]
FAQ

Frequently Asked Questions about CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online