CVE-2025-15656: Privilege Escalation in Mojoomla School Management – Patch Guidance & Detection
Mojoomla School Management contains a privilege escalation vulnerability stemming from improper assignment of user permissions. An authenticated attacker with basic user-level access can exploit this flaw to gain elevated privileges within the application, potentially obtaining administrative capabilities. The vulnerability affects all versions from the earliest tracked through version 93.2.0, making it a broad exposure for deployments that have not yet patched.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-266
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Incorrect Privilege Assignment vulnerability in Mojoomla School Management allows Privilege Escalation. This issue affects School Management: from n/a through 93.2.0.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-15656 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Mojoomla School Management that enables privilege escalation. The flaw allows an authenticated, low-privileged user to manipulate or bypass permission checks during privilege assignment operations. Because the vulnerability requires prior authentication (PR:L) but no user interaction (UI:N) and is network-accessible (AV:N), exploitation is straightforward once an attacker gains initial login credentials. The impact scope is unchanged (S:U), meaning the attacker gains only the privileges of the application itself, not system-level access.
Business impact
Educational institutions relying on Mojoomla School Management face operational risk if malicious insiders or compromised low-privilege accounts escalate to admin level. Attackers could modify student records, alter grades, access sensitive enrollment or medical information, or disrupt core school administration functions. For multi-tenant deployments, isolation mechanisms become critical; a single compromised tenant account could potentially affect broader systems. Reputational and compliance exposure is significant for schools handling FERPA-protected student data.
Affected systems
Mojoomla School Management versions up to and including 93.2.0 are vulnerable. The vendor product list is not specified in the advisory data; verify your exact version against Mojoomla's release timeline and confirm whether your deployment falls within the affected range. Organizations should audit all active instances of this software to determine patch status.
Exploitability
Exploitation requires valid authentication credentials—a low-privilege user account or a compromised standard user login. Once authenticated, the attacker can trigger the privilege escalation with no additional user interaction or special conditions (AC:L). The attack surface is network-accessible, meaning it can be executed remotely. This creates a medium-to-high exploitability profile: while not unauthenticated, the barrier to entry is manageable for insider threats or credential compromise scenarios. No public exploit or KEV designation is currently recorded.
Remediation
Organizations must upgrade Mojoomla School Management to a patched version beyond 93.2.0. Verify the exact remediated build from the vendor advisory before deployment. Interim controls include restricting user account creation and role assignment to highly privileged administrators, implementing strict role-based access controls (RBAC) reviews, and monitoring privilege assignment operations for anomalies. Consider isolating School Management instances in separate network segments if multi-tenancy is in use.
Patch guidance
Check Mojoomla's official release notes and security advisories for the version that resolves CVE-2025-15656; do not assume a specific patch version without vendor confirmation. Test patches in a staging environment that mirrors production configuration before rolling out to live school systems to avoid disruption during the academic calendar. Schedule patching during maintenance windows and communicate timelines to stakeholders. Verify successful remediation by confirming the installed version and re-testing privilege escalation conditions if possible in a controlled lab environment.
Detection guidance
Monitor application logs for unusual privilege assignment operations, especially role elevation requests originating from non-administrative accounts. Look for rapid successive permission changes or bulk user promotions. Track failed and successful authentication events for low-privilege accounts followed by administrative actions. Implement alerts on any user promotion to admin or super-admin roles outside of normal administrative workflow. Review access control lists (ACLs) and role assignments for unexpected or orphaned elevated accounts. Database query logging can help detect tampering with privilege tables if they are directly manipulated.
Why prioritize this
This vulnerability merits urgent attention due to its CVSS 8.8 (HIGH) severity and the sensitive nature of educational data. The requirement for authentication somewhat lowers urgency compared to unauthenticated RCE, but the high impact (confidentiality, integrity, availability all affected) and ease of exploitation once authenticated justify immediate patching. Educational institutions operating on fixed calendars should prioritize patching during scheduled maintenance windows to minimize service disruption while addressing the risk promptly.
Risk score, explained
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects a score of 8.8. Network accessibility (AV:N) and low attack complexity (AC:L) indicate ease of remote exploitation. The Low Privilege requirement (PR:L) is the primary mitigating factor—unauthenticated exploitation is not possible. However, the High impact across all three pillars (C, I, A) due to full administrative capability compromise drives the overall severity into the HIGH band. Scope unchanged (S:U) means the attacker does not break out of the application boundary, limiting systemic blast radius but not reducing the application-level threat.
Frequently asked questions
Can this vulnerability be exploited without a login?
No. CVE-2025-15656 requires prior authentication with at least basic user-level credentials. An unauthenticated attacker cannot trigger it; however, compromised standard user accounts, weak passwords, or insider threats can all serve as entry points.
What are the primary attack scenarios?
A malicious insider with a regular teacher or staff account could escalate to admin to alter grades or access confidential records. A threat actor who obtains login credentials through phishing or credential reuse can pivot from a low-privilege foothold to full administrative control. Multi-tenant deployments are at additional risk if an attacker compromises one tenant's user account.
Is there a workaround if we cannot patch immediately?
While patching is the definitive fix, interim controls include restricting who can create or modify user roles (limit to very few trusted admins), enforcing strong authentication (MFA if available), and monitoring role assignment operations closely. However, these are not substitutes for patching—they buy time only. Plan a patch deployment urgently.
Does this affect older or newer versions?
The vulnerability is confirmed in versions through 93.2.0. Verify the exact patch version from Mojoomla's official advisory. Versions released after the patch announcement should be safe, but always confirm against vendor release notes.
This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. Organizations should verify all patch version numbers, vendor advisories, and remediation timelines directly with Mojoomla before taking action. SEC.co makes no warranty regarding the accuracy, completeness, or suitability of this information for any specific environment. Always test patches in a non-production environment first. Consult with your security team and software vendor for guidance tailored to your infrastructure and compliance requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10236HIGHSourceCodester Water Billing System Improper Authorization Vulnerability (CVSS 7.3)
- CVE-2026-35671HIGHphpMyFAQ Admin API Privilege Escalation Vulnerability
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10217MEDIUMGoClaw Privilege Escalation in RoleAdmin Gateway (CVSS 6.3)
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0