Platform
php
Component
my-cve-reports
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in codingWithElias School Management System versions up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. This flaw, located in the 'Edit Student Info Page' component's /student-view.php file, allows attackers to inject malicious scripts. Public exploits are available, increasing the risk of exploitation. The system follows a rolling release model, so specific version details are not provided.
Successful exploitation of CVE-2025-13795 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including session hijacking, defacement of the School Management System's interface, and theft of sensitive user data such as student records, grades, and personal information. Given the public availability of an exploit, the risk of widespread exploitation is significant. The impact is amplified if the system is used to manage sensitive student data or is integrated with other critical systems.
CVE-2025-13795 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. The ease of exploitation, combined with the potential for data theft and system compromise, makes this a significant security concern.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13795 is to upgrade to version 1.0.1. Due to the rolling release nature of the School Management System, direct rollbacks may not be possible. As a temporary workaround, input validation and output encoding should be implemented on the 'First Name' field in /student-view.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /student-view.php endpoint can also provide some protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'First Name' field and verifying that the script does not execute.
Update to a patched version of the School Management System. Contact the vendor for a corrected version or apply a patch that filters the input of the 'First Name' field in the /student-view.php file to prevent the execution of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13795 is a cross-site scripting (XSS) vulnerability affecting School Management System versions up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01, allowing attackers to inject malicious scripts.
If you are using School Management System versions prior to 1.0.1, you are potentially affected by this vulnerability. The system follows a rolling release, so confirm your version against the affected range.
Upgrade to version 1.0.1. If upgrading is not immediately possible, implement input validation and output encoding on the 'First Name' field in /student-view.php as a temporary workaround.
Yes, a public proof-of-concept exploit is available, indicating a high probability of active exploitation.
Refer to the codingWithElias website or their official communication channels for the advisory related to CVE-2025-13795.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.