PatchSiren cyber security CVE debrief
CVE-2025-15657 Mojoomla CVE debrief
CVE-2025-15657 is a MEDIUM severity vulnerability (CVSS Score: 5.3) affecting School Management plugin versions <= 93.1.0. This Unauthenticated Insecure Direct Object References (IDOR) vulnerability allows attackers to access sensitive data without authentication. The vulnerability was published on June 17, 2026, and last modified on the same day. Users of the affected plugin should take immediate action to mitigate potential risks.
- Vendor
- Mojoomla
- Product
- School Management
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Administrators and users of the School Management plugin, especially those using versions <= 93.1.0, should be aware of this vulnerability and take necessary actions to secure their installations.
Technical summary
The vulnerability is an Unauthenticated Insecure Direct Object References (IDOR) issue in the School Management plugin. It has a CVSS Score of 5.3 and a severity of MEDIUM. The vulnerability allows unauthenticated attackers to access sensitive data with low impact on confidentiality. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the School Management plugin to a version greater than 93.1.0.
- Implement proper access controls and authentication mechanisms.
- Monitor plugin usage and logs for suspicious activity.
- Consider using a Web Application Firewall (WAF) to detect and prevent attacks.
- Regularly update and patch plugins and software.
- Use secure protocols for data transmission.
Evidence notes
The vulnerability information was obtained from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail pages provide further information about the vulnerability.
Official resources
-
CVE-2025-15657 CVE record
CVE.org
-
CVE-2025-15657 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2025-15657 was published on June 17, 2026, and last modified on the same day.