I believe it is a much broader issue than just pulling unpaid months, so I will not help you with code.
One indication of problematic structure of the website is the necessity to pull months dynamically upon selection of some student name in dropdown. Anyone can select arbitrary name and see possibly sensitive data about that person.
I believe students must have a protected user area and all payments be done there. Therefore, a logged in student has extended user id and paid months are fetched via cms:related_pages. Save ids of paid months in a variable. Unpaid months are then fetched via cms:pages with id="NOT previously-saved-ids-of-paid-months".
One indication of problematic structure of the website is the necessity to pull months dynamically upon selection of some student name in dropdown. Anyone can select arbitrary name and see possibly sensitive data about that person.
I believe students must have a protected user area and all payments be done there. Therefore, a logged in student has extended user id and paid months are fetched via cms:related_pages. Save ids of paid months in a variable. Unpaid months are then fetched via cms:pages with id="NOT previously-saved-ids-of-paid-months".