WP-Safety

School Management System – WPSchoolPress Security & Risk Analysis

wordpress.org/plugins/wpschoolpress

An extensive plugin for school management with features like attendance, class management, time table, exams, grades, student-teacher-parent notificat …

2K active installs v2.2.35 PHP 7.4+ WP 6.7+ Updated Feb 17, 2026
attendance-managementexam-schedule-managementstaff-information-managementstudent-information-managementtime-table-management
88
A · Safe
CVEs total13
Unpatched0
Last CVENov 13, 2025
Plugin page Download
Safety Verdict

Is School Management System – WPSchoolPress Safe to Use in 2026?

Generally Safe

Score 88/100

School Management System – WPSchoolPress has a strong security track record. Known vulnerabilities have been patched promptly.

13 known CVEsLast CVE: Nov 13, 2025Updated 1mo ago
Risk Assessment

The WPSchoolPress plugin exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers, representing a large attack surface. The static analysis reveals 78 AJAX handlers, all of which lack authentication checks, making them direct entry points for potential attackers. Furthermore, the plugin utilizes a dangerous function ('unserialize') 36 times and demonstrates a high number of unsanitized paths in its taint analysis, with 18 critical flows, indicating a substantial risk of vulnerabilities like Cross-Site Scripting and SQL Injection. The plugin's vulnerability history, with 13 known CVEs including SQL Injection, Authorization Bypass, CSRF, and XSS, further underscores these systemic weaknesses. While the plugin does show strengths in its use of prepared statements for SQL queries (84%) and proper output escaping (97%), these positive aspects are significantly overshadowed by the critical vulnerabilities present in its entry point security and data handling.

Key Concerns

  • Large attack surface without auth checks
  • Dangerous function 'unserialize' used
  • High severity taint flows found
  • Missing nonce checks on AJAX handlers
  • Known vulnerability history (13 CVEs)
  • Bundled outdated library (DataTables)
Vulnerabilities
13

School Management System – WPSchoolPress Security Vulnerabilities

CVEs by Year

3 CVEs in 2021
2021
3 CVEs in 2023
2023
1 CVE in 2024
2024
6 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
5
Medium
8

13 total CVEs

CVE-2025-11981medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

School Management System – WPSchoolPress <= 2.2.23 - Authenticated (Administrator+) SQL Injection

Nov 13, 2025 Patched in 2.2.24 (1d)
CVE-2025-1668medium · 4.3Missing Authorization

School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Arbitrary User Deletion

Mar 14, 2025 Patched in 2.2.17 (236d)
CVE-2025-1670medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

School Management System – WPSchoolPress <= 2.2.16 - Authenticated (Parent+) SQL Injection

Mar 14, 2025 Patched in 2.2.17 (236d)
CVE-2025-1667high · 8.8Authorization Bypass Through User-Controlled Key

School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Privilege Escalation via Account Takeover

Mar 14, 2025 Patched in 2.2.17 (236d)
CVE-2025-1669medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

School Management System – WPSchoolPress <= 2.2.17 - Authenticated (Teacher+) SQL Injection

Mar 14, 2025 Patched in 2.2.18 (236d)
CVE-2024-12332medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

School Management System – WPSchoolPress <= 2.2.14 - Authenticated (Student/Parent+) SQL Injection

Jan 6, 2025 Patched in 2.2.15 (200d)
CVE-2024-9637high · 8.8Authorization Bypass Through User-Controlled Key

School Management System – WPSchoolPress <= 2.2.10 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation

Oct 25, 2024 Patched in 2.2.11 (5d)
CVE-2023-4776high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WPSchoolPress <= 2.2.4 - Authenticated(Teacher+) SQL Injection via ClassID

Sep 25, 2023 Patched in 2.2.5 (120d)
WF-1a2fb050-1a7c-45cc-86c7-02331d47f780-wpschoolpressmedium · 6.3Cross-Site Request Forgery (CSRF)

WPSchoolPress <= 2.2.4 - Cross-Site Request Forgery

Sep 18, 2023 Patched in 2.2.5 (127d)
CVE-2023-37887medium · 5.4Missing Authorization

WPSchoolPress <= 2.2.3 - Missing Authorization

Jul 11, 2023 Patched in 2.2.4 (196d)
WF-58a83ec8-e294-4fb6-9f1a-19562b2e499d-wpschoolpresshigh · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

School Management System – WPSchoolPress < 2.1.10 - Reflected Cross-Site Scripting

Oct 11, 2021 Patched in 2.1.10 (834d)
CVE-2021-24575high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

School Management System – WPSchoolPress <= 2.1.9 - SQL Injection

Oct 11, 2021 Patched in 2.1.10 (834d)
CVE-2021-24664medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

School Management System – WPSchoolPress <= 2.1.16 - Stored Cross-Site Scripting

Oct 11, 2021 Patched in 2.1.17 (834d)
Code Analysis
Analyzed Mar 16, 2026

School Management System – WPSchoolPress Code Analysis

Dangerous Functions
36
Raw SQL Queries
76
388 prepared
Unescaped Output
115
3238 escaped
Nonce Checks
5
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$get_sessions = unserialize($check_tt->heading);includes\wpsp-createTimetable.php:81
unserialize$get_sessions = unserialize($check_tt->heading);includes\wpsp-editTimetable.php:24
unserialize$get_sessions = unserialize($check_tt->heading);includes\wpsp-newTimetable.php:75
unserialize$class_id_array = unserialize( $stu->class_id );includes\wpsp-parentList.php:153
unserialize$class_id_array = unserialize( $stu->class_id );includes\wpsp-parentList.php:180
unserialize$class_id_array = unserialize( $stu->class_id );includes\wpsp-studentList.php:159
unserialize$class_id_array = unserialize( $stinfo->class_id );includes\wpsp-studentList.php:186
unserialize$class_id_array = unserialize($stinfo->class_id);includes\wpsp-studentList.php:250
unserialize$classIDArray = unserialize($stinfo->class_id);includes\wpsp-studentProfile.php:646
unserialize$class_id_array = unserialize( $stu->class_id );includes\wpsp-viewMark.php:38
unserialize$session = unserialize($get_heading->heading);includes\wpsp-viewTimetable.php:19
unserialize$class_id_array = unserialize( $stu->class_id );pages\wpsp-attendance.php:101
unserialize$class_id_array = unserialize($stinfo->class_id);pages\wpsp-attendance.php:241
unserialize$classid_array = unserialize($stinfo->class_id);pages\wpsp-attendance.php:257
unserialize$class_id_array = unserialize($stinfo->class_id);pages\wpsp-attendance.php:345
unserialize$classid_array = unserialize($stinfo->class_id);pages\wpsp-attendance.php:360
unserialize$class_id_array = unserialize( $stu->class_id );pages\wpsp-class.php:69
unserialize$classIDArray = unserialize($sclas->class_id);pages\wpsp-dashboard.php:46
unserialize$classIDArray = unserialize($sclas->class_id);pages\wpsp-dashboard.php:149
unserialize$class_id_array = unserialize( $wpsp_stud_data[0]->class_id );pages\wpsp-dashboard.php:268
unserialize$examclassid = unserialize($examinfo->class_id);pages\wpsp-dashboard.php:521
unserialize$examclassid = unserialize($parray);pages\wpsp-dashboard.php:556
unserialize$class_id_array = unserialize($count->class_id);pages\wpsp-history.php:76
unserialize$class_id_array = unserialize( $stu->class_id );pages\wpsp-marks.php:196
unserialize$class_id_array = unserialize( $stu->class_id );pages\wpsp-marks.php:264
unserialize$class_id_array = unserialize($studentdata->class_id);pages\wpsp-messages.php:454
unserialize$class_id_array = unserialize($parentdata->class_id);pages\wpsp-messages.php:506
unserialize$c_id = unserialize($sid->class_id);pages\wpsp-messages.php:555
unserialize$class_data = unserialize($sid->class_id);pages\wpsp-messages.php:591
unserialize$class_id_array = unserialize( $wpsp_stud_data[0]->class_id );pages\wpsp-payment.php:167
unserialize$classIDArray = unserialize($stinfo->class_id);pages\wpsp-student.php:86
unserialize$jsonArray = unserialize($jsondata);pages\wpsp-student.php:232
unserialize$class_id_array = unserialize( $wpsp_stud[0]->class_id );wpsp-layout.php:585
unserialize$classIDArray = unserialize($wpsp_classes[0]->class_id);wpsp-layout.php:662
unserialize$class_id_array = unserialize( $wpsp_stud[0]->class_id );wpsp-layout.php:887
unserialize$classArray = unserialize($sclas->class_id);wpsp-layout.php:984

Bundled Libraries

DataTables

SQL Query Safety

84% prepared464 total queries

Output Escaping

97% escaped3353 total outputs
Data Flows
20 unsanitized

Data Flow Analysis

25 flows20 with unsanitized paths
<wpsp-school-login> (wpsp-school-login.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
78 unprotected

School Management System – WPSchoolPress Attack Surface

Entry Points78
Unprotected78

AJAX Handlers 78

authwp_ajax_listdashboardschedulewpschoolpress.php:77
authwp_ajax_StudentProfilewpschoolpress.php:78
authwp_ajax_AddStudentwpschoolpress.php:79
authwp_ajax_UpdateStudentwpschoolpress.php:80
authwp_ajax_StudentPublicProfilewpschoolpress.php:81
authwp_ajax_ParentPublicProfilewpschoolpress.php:82
authwp_ajax_TeacherPublicProfilewpschoolpress.php:83
authwp_ajax_bulkDeletewpschoolpress.php:84
authwp_ajax_undoImportwpschoolpress.php:85
authwp_ajax_AddTeacherwpschoolpress.php:86
authwp_ajax_AddParentwpschoolpress.php:87
authwp_ajax_AddClasswpschoolpress.php:88
authwp_ajax_UpdateClasswpschoolpress.php:89
authwp_ajax_GetClasswpschoolpress.php:90
authwp_ajax_DeleteClasswpschoolpress.php:91
authwp_ajax_Updateregisterdeactivewpschoolpress.php:92
authwp_ajax_Updateregisteractivewpschoolpress.php:93
authwp_ajax_bulkaproverequestwpschoolpress.php:94
authwp_ajax_bulkdisaproverequestwpschoolpress.php:95
authwp_ajax_AddExamwpschoolpress.php:96
authwp_ajax_UpdateExamwpschoolpress.php:97
authwp_ajax_ExamInfowpschoolpress.php:98
authwp_ajax_DeleteExamwpschoolpress.php:99
authwp_ajax_getStudentsListwpschoolpress.php:100
authwp_ajax_AttendanceEntrywpschoolpress.php:101
authwp_ajax_deleteAttendancewpschoolpress.php:102
authwp_ajax_getStudentsAttendanceListwpschoolpress.php:103
authwp_ajax_getAbsenteeswpschoolpress.php:104
authwp_ajax_getAbsentDateswpschoolpress.php:105
authwp_ajax_getAttReportwpschoolpress.php:106
authwp_ajax_AddSubjectwpschoolpress.php:107
authwp_ajax_SubjectInfowpschoolpress.php:108
authwp_ajax_UpdateSubjectwpschoolpress.php:109
authwp_ajax_DeleteSubjectwpschoolpress.php:110
authwp_ajax_subjectListwpschoolpress.php:111
authwp_ajax_save_timetablewpschoolpress.php:112
authwp_ajax_deletsloatwpschoolpress.php:113
authwp_ajax_deletTimetablewpschoolpress.php:114
authwp_ajax_addMarkwpschoolpress.php:115
authwp_ajax_getMarksubjectwpschoolpress.php:116
authwp_ajax_GenSettingwpschoolpress.php:118
authwp_ajax_GenSettingsmswpschoolpress.php:119
authwp_ajax_GenSettingsocialwpschoolpress.php:120
authwp_ajax_GenSettinglicensingwpschoolpress.php:121
authwp_ajax_addSubFieldwpschoolpress.php:122
authwp_ajax_updateSubFieldwpschoolpress.php:123
authwp_ajax_deleteSubFieldwpschoolpress.php:124
authwp_ajax_manageGradewpschoolpress.php:125
authwp_ajax_addEventwpschoolpress.php:126
authwp_ajax_updateEventwpschoolpress.php:127
authwp_ajax_deleteEventwpschoolpress.php:128
authwp_ajax_listEventwpschoolpress.php:129
authwp_ajax_deleteAllLeaveswpschoolpress.php:130
authwp_ajax_addLeaveDaywpschoolpress.php:131
authwp_ajax_getLeaveDayswpschoolpress.php:132
authwp_ajax_getClassYearwpschoolpress.php:133
authwp_ajax_addTransportwpschoolpress.php:134
authwp_ajax_updateTransportwpschoolpress.php:135
authwp_ajax_viewTransportwpschoolpress.php:136
authwp_ajax_deleteTransportwpschoolpress.php:137
authwp_ajax_sendMessagewpschoolpress.php:138
authwp_ajax_sendSubMessagewpschoolpress.php:139
authwp_ajax_viewMessagewpschoolpress.php:140
authwp_ajax_deleteMessagewpschoolpress.php:141
authwp_ajax_photoUploadwpschoolpress.php:142
authwp_ajax_deletePhotowpschoolpress.php:143
authwp_ajax_DeleteStudentwpschoolpress.php:144
authwp_ajax_DeleteTeacherwpschoolpress.php:145
authwp_ajax_getTeachersListwpschoolpress.php:147
authwp_ajax_TeacherAttendanceEntrywpschoolpress.php:148
authwp_ajax_TeacherAttendanceDeletewpschoolpress.php:149
authwp_ajax_TeacherAttendanceViewwpschoolpress.php:150
authwp_ajax_UpdateTeacherwpschoolpress.php:151
authwp_ajax_deleteNotifywpschoolpress.php:153
authwp_ajax_getNotifywpschoolpress.php:154
authwp_ajax_addNotifywpschoolpress.php:156
authwp_ajax_changepasswordwpschoolpress.php:158
authwp_ajax_ImportContentswpschoolpress.php:160
WordPress Hooks 14
actionplugins_loadedwpschoolpress.php:46
actionadmin_initwpschoolpress.php:74
actionactivated_pluginwpschoolpress.php:170
filterlogin_headerurlwpschoolpress.php:182
actioninitwpschoolpress.php:189
actionadmin_menuwpsp-class-admin.php:666
actionlogin_enqueue_scriptswpsp-class-admin.php:670
actionadmin_enqueue_scriptswpsp-class-admin.php:672
actionwp_before_admin_bar_renderwpsp-class-admin.php:677
filterlogin_redirectwpsp-class-public.php:150
filterpage_templatewpsp-class-public.php:155
actionlogin_headwpsp-school-login.php:34
actionlogin_headwpsp-school-login.php:35
actionlogin_headwpsp-school-login.php:49
Maintenance & Trust

School Management System – WPSchoolPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 17, 2026
PHP min version7.4
Downloads197K

Community Trust

Rating80/100
Number of ratings21
Active installs2K
Alternatives

School Management System – WPSchoolPress Alternatives

WP-HR Manager: The Human Resources Plugin for WordPress

WP-HR Manager: The Human Resources Plugin for WordPress

wp-hr-manager

A
91

Easily add a powerful HR / human resource management system and employee self service (ESS) portal to your website. = Credits = This plugin uses [WP E &hellip;

300 1 CVE
Clockinator Lite

Clockinator Lite

clockify-lite

B
79

Clockinator Lite is a powerful and easy-to-use employee and attendance management plugin for WordPress.

100 1 unpatched
Hr Press Lite

Hr Press Lite

hr-press-lite

A
100

Hr Press Lite is a modern Employee Management System to track attendance, breaks, and manage employees efficiently. HRM (Human Resource Management) is &hellip;

50 No CVEs
Developer Profile

School Management System – WPSchoolPress Developer Profile

Ronik@UnlimitedWP

3 plugins · 2K total installs

64
trust score
Avg Security Score
79/100
Avg Patch Time
315 days
View full developer profile
Detection Fingerprints

How We Detect School Management System – WPSchoolPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpschoolpress/assets/css/wpschoolpress-admin.css/wp-content/plugins/wpschoolpress/assets/css/wpschoolpress-public.css/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-admin.js/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-public.js/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-settings.js/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-custom.js/wp-content/plugins/wpschoolpress/assets/css/wpsp-responsive.css
Script Paths
/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-admin.js/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-public.js/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-settings.js/wp-content/plugins/wpschoolpress/assets/js/wpschoolpress-custom.js
Version Parameters
wpschoolpress/assets/css/wpschoolpress-admin.css?ver=wpschoolpress/assets/css/wpschoolpress-public.css?ver=wpschoolpress/assets/js/wpschoolpress-admin.js?ver=wpschoolpress/assets/js/wpschoolpress-public.js?ver=wpschoolpress/assets/js/wpschoolpress-settings.js?ver=wpschoolpress/assets/js/wpschoolpress-custom.js?ver=wpschoolpress/assets/css/wpsp-responsive.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpsp-admin-wrapperwpsp-public-wrapperwpsp-settings-pagewpsp-dashboard-schedulewpsp-student-profilewpsp-teacher-profilewpsp-add-student-formwpsp-update-student-form+13 more
HTML Comments
<!-- WPSchoolPress Settings --><!-- WPSchoolPress Admin Dashboard --><!-- WPSchoolPress Public View --><!-- WPSchoolPress Student Profile -->+16 more
Data Attributes
data-wpsp-actiondata-wpsp-id
JS Globals
WPSP_AJAX_URLWPSP_PLUGIN_URLwpsp_settings_datawpsp_adminwpsp_public
REST Endpoints
/wp-json/wpschoolpress/v1/settings/wp-json/wpschoolpress/v1/students/wp-json/wpschoolpress/v1/teachers/wp-json/wpschoolpress/v1/parents/wp-json/wpschoolpress/v1/classes/wp-json/wpschoolpress/v1/exams/wp-json/wpschoolpress/v1/subjects/wp-json/wpschoolpress/v1/attendance/wp-json/wpschoolpress/v1/timetable/wp-json/wpschoolpress/v1/transport/wp-json/wpschoolpress/v1/messages/wp-json/wpschoolpress/v1/photos/wp-json/wpschoolpress/v1/grades
Shortcode Output
[wpsp_dashboard][wpsp_student_profile][wpsp_teacher_profile][wpsp_parent_profile]
FAQ

Frequently Asked Questions about School Management System – WPSchoolPress