CVE-2024-33911

HIGH

Weblizar School Management Pro <= 10.3.4 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-33911. PoCs published by xbz0n.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-33911, a post-authenticated SQL injection vulnerability in The School Management plugin v10.3.4. It includes a proof-of-concept for time-based SQL injection via the 'order%5B0%5D%5Bdir%5D' parameter in the /wp-admin/admin-ajax.php endpoint.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Management Pro.This issue affects School Management Pro: from n/a through 10.3.4.

Exploits (1)

nomisec WRITEUP 2 stars
by xbz0n · poc
https://github.com/xbz0n/CVE-2024-33911

This repository provides a detailed technical analysis of CVE-2024-33911, a post-authenticated SQL injection vulnerability in The School Management plugin v10.3.4. It includes a proof-of-concept for time-based SQL injection via the 'order%5B0%5D%5Bdir%5D' parameter in the /wp-admin/admin-ajax.php endpoint.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: The School Management plugin v10.3.4
Auth required
Prerequisites: Authenticated access to the WordPress admin panel
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.6
EPSS 0.0109
EPSS Percentile 61.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
Weblizar/School Management Pro < 10.3.4
weblizar/school_management < 10.3.4
Published May 02, 2024
Tracked Since Feb 18, 2026