WP-Safety

Football Pool Security & Risk Analysis

wordpress.org/plugins/football-pool

Add some game-day fun to your WordPress site! Let users predict match results, earn points, and go head-to-head in a fantasy sports pool.

700 active installs v2.13.1 PHP 7.4+ WP 5.3+ Updated Sep 9, 2025
footballgamepoolpredictionsports
96
A · Safe
CVEs total8
Unpatched0
Last CVESep 9, 2025
Plugin page Download
Safety Verdict

Is Football Pool Safe to Use in 2026?

Generally Safe

Score 96/100

Football Pool has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Sep 9, 2025Updated 6mo ago
Risk Assessment

The "football-pool" plugin v2.13.1 presents a mixed security posture. While it demonstrates good practices in SQL query handling and a robust number of nonce and capability checks, several areas raise concern. The presence of 4 AJAX handlers without authentication checks creates a significant attack surface for unauthorized actions. Furthermore, the taint analysis, though limited in scope, flagged 3 flows with unsanitized paths, indicating potential vulnerabilities if these paths are exploited. The plugin's history of 8 medium-severity CVEs, primarily related to Cross-Site Scripting and CSRF, is a notable weakness. Although no CVEs are currently unpatched, the recurring nature of these vulnerability types suggests a continued need for diligent code review and secure coding practices. The most recent vulnerability in 2025 is concerning given the current date.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths
  • History of 8 medium CVEs
  • Output escaping below 50%
Vulnerabilities
8

Football Pool Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
3 CVEs in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
8

8 total CVEs

CVE-2025-58987medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football Pool <= 2.12.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 9, 2025 Patched in 2.13.0 (7d)
CVE-2025-53280medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football Pool <= 2.12.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 27, 2025 Patched in 2.12.6 (12d)
CVE-2025-5490medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 18, 2025 Patched in 2.12.5 (7d)
CVE-2025-30764medium · 4.3Cross-Site Request Forgery (CSRF)

Football Pool <= 2.12.2 - Cross-Site Request Forgery to Settings Update

Mar 26, 2025 Patched in 2.12.3 (28d)
CVE-2024-43139medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football Pool <= 2.11.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Aug 7, 2024 Patched in 2.11.10 (8d)
CVE-2024-43130medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football Pool <= 2.11.10 - Authenticated (Editor+) Stored Cross-Site Scripting

Aug 7, 2024 Patched in 2.12.1 (8d)
CVE-2024-29802medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football pool <= 2.11.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 8, 2024 Patched in 2.11.4 (84d)
CVE-2017-18524medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Football Pool < 2.6.5 - Cross-Site Scripting

Nov 3, 2017 Patched in 2.6.5 (2272d)
Code Analysis
Analyzed Mar 16, 2026

Football Pool Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
350 prepared
Unescaped Output
247
150 escaped
Nonce Checks
43
Capability Checks
12
File Operations
5
External Requests
0
Bundled Libraries
2

Bundled Libraries

TinyMCEjQuery

SQL Query Safety

99% prepared353 total queries

Output Escaping

38% escaped397 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
show (classes\class-football-pool-pagination.php:139)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Football Pool Attack Surface

Entry Points32
Unprotected4

AJAX Handlers 4

authwp_ajax_footballpool_calculate_scorehistoryfootball-pool.php:199
authwp_ajax_footballpool_update_jokerfootball-pool.php:201
authwp_ajax_footballpool_update_team_predictionfootball-pool.php:203
authwp_ajax_footballpool_update_bonus_questionfootball-pool.php:205

Shortcodes 28

[fp-next-match-form] classes\class-football-pool-shortcodes.php:26
[fp-last-calc-date] classes\class-football-pool-shortcodes.php:27
[fp-money-in-the-pot] classes\class-football-pool-shortcodes.php:28
[fp-user-list] classes\class-football-pool-shortcodes.php:29
[fp-predictions] classes\class-football-pool-shortcodes.php:30
[fp-predictionform] classes\class-football-pool-shortcodes.php:31
[fp-group] classes\class-football-pool-shortcodes.php:33
[fp-matches] classes\class-football-pool-shortcodes.php:34
[fp-ranking] classes\class-football-pool-shortcodes.php:35
[fp-scores] classes\class-football-pool-shortcodes.php:37
[fp-match-scores] classes\class-football-pool-shortcodes.php:38
[fp-question-scores] classes\class-football-pool-shortcodes.php:39
[fp-user-score] classes\class-football-pool-shortcodes.php:40
[fp-user-ranking] classes\class-football-pool-shortcodes.php:41
[fp-countdown] classes\class-football-pool-shortcodes.php:42
[fp-register] classes\class-football-pool-shortcodes.php:43
[fp-link] classes\class-football-pool-shortcodes.php:44
[fp-totopoints] classes\class-football-pool-shortcodes.php:45
[fp-fullpoints] classes\class-football-pool-shortcodes.php:46
[fp-goalpoints] classes\class-football-pool-shortcodes.php:47
[fp-diffpoints] classes\class-football-pool-shortcodes.php:48
[fp-jokermultiplier] classes\class-football-pool-shortcodes.php:49
[fp-league-info] classes\class-football-pool-shortcodes.php:50
[fp-stats-settings] classes\class-football-pool-shortcodes.php:51
[fp-chart-settings] classes\class-football-pool-shortcodes.php:52
[fp-plugin-option] classes\class-football-pool-shortcodes.php:53
[fp-next-matches] classes\class-football-pool-shortcodes.php:54
[fp-last-matches] classes\class-football-pool-shortcodes.php:55
WordPress Hooks 37
actionadmin_print_footer_scriptsadmin\class-football-pool-admin-feature-pointers.php:144
filtermce_external_pluginsadmin\class-football-pool-admin.php:274
filtermce_buttonsadmin\class-football-pool-admin.php:275
actionplugins_loadedfootball-pool.php:102
actioninitfootball-pool.php:107
filtershow_admin_barfootball-pool.php:112
filterthe_contentfootball-pool.php:113
filterthe_titlefootball-pool.php:115
actionwp_headfootball-pool.php:118
filterdocument_title_partsfootball-pool.php:119
actionuser_registerfootball-pool.php:124
actionregister_formfootball-pool.php:125
actionregister_postfootball-pool.php:126
filterregistration_errorsfootball-pool.php:127
filterlogin_redirectfootball-pool.php:130
filterregistration_redirectfootball-pool.php:132
filterwp_privacy_personal_data_exportersfootball-pool.php:138
filterwp_privacy_personal_data_erasersfootball-pool.php:141
actiondeleted_userfootball-pool.php:151
actionadmin_menufootball-pool.php:172
actionshow_user_profilefootball-pool.php:174
actionedit_user_profilefootball-pool.php:175
actionpersonal_options_updatefootball-pool.php:176
actionedit_user_profile_updatefootball-pool.php:177
actionadmin_enqueue_scriptsfootball-pool.php:178
actionwp_dashboard_setupfootball-pool.php:179
actionadmin_initfootball-pool.php:181
actionadmin_enqueue_scriptsfootball-pool.php:184
filteradmin_body_classfootball-pool.php:185
filterplugin_action_linksfootball-pool.php:186
filterset-screen-optionfootball-pool.php:188
filterplugins_loadedfootball-pool.php:193
actionwidgets_initwidgets\widget-football-pool-group.php:29
actionwidgets_initwidgets\widget-football-pool-lastgames.php:29
actionwidgets_initwidgets\widget-football-pool-next-prediction.php:29
actionwidgets_initwidgets\widget-football-pool-ranking.php:29
actionwidgets_initwidgets\widget-football-pool-shoutbox.php:29
Maintenance & Trust

Football Pool Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 9, 2025
PHP min version7.4
Downloads96K

Community Trust

Rating98/100
Number of ratings82
Active installs700
Alternatives

Football Pool Alternatives

Prediction League

Prediction League

prediction-league

A
85

Self hosted prediction league for your blog

10 No CVEs
JoomSport – for Sports: Team & League, Football, Hockey & more

JoomSport – for Sports: Team & League, Football, Hockey & more

joomsport-sports-league-results-management

B
83

Create PRO sports website for your club, sports team or sports league! Soccer, Football, Hockey, Basketball, Volleyball, Handball, eSport & others.

1K 9 CVEs
CyberPress

CyberPress

cyberpress

A
100

Manage eSport Tournaments, Matches, Teams and Players.

200 No CVEs
Achievements sports league

Achievements sports league

joomsport-achievements

A
100

Sports plugin for motor racing, athletics, aquatics, gymnastics, golf, running, cycling, skiing, poker and similar sports. Manage your league with us!

200 No CVEs
Sport livescores: foootball and basketball results, fixtures and standings

Sport livescores: foootball and basketball results, fixtures and standings

football-standings

A
92

Add auto-updated live scores information about more than 3000 football and basketball tournaments and standings with ease!

100 No CVEs
Developer Profile

Football Pool Developer Profile

AntoineH

1 plugin · 700 total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
303 days
View full developer profile
Detection Fingerprints

How We Detect Football Pool

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/football-pool/css/football-pool.css/wp-content/plugins/football-pool/css/football-pool-admin.css/wp-content/plugins/football-pool/css/football-pool-charts.css/wp-content/plugins/football-pool/css/football-pool-comments.css/wp-content/plugins/football-pool/css/football-pool-tables.css/wp-content/plugins/football-pool/js/football-pool.js/wp-content/plugins/football-pool/js/football-pool-admin.js/wp-content/plugins/football-pool/js/football-pool-charts.js+2 more
Script Paths
/wp-content/plugins/football-pool/js/football-pool.js/wp-content/plugins/football-pool/js/football-pool-admin.js/wp-content/plugins/football-pool/js/football-pool-charts.js/wp-content/plugins/football-pool/js/football-pool-comments.js/wp-content/plugins/football-pool/js/football-pool-tables.js
Version Parameters
football-pool/css/football-pool.css?ver=football-pool/css/football-pool-admin.css?ver=football-pool/css/football-pool-charts.css?ver=football-pool/css/football-pool-comments.css?ver=football-pool/css/football-pool-tables.css?ver=football-pool/js/football-pool.js?ver=football-pool/js/football-pool-admin.js?ver=football-pool/js/football-pool-charts.js?ver=football-pool/js/football-pool-comments.js?ver=football-pool/js/football-pool-tables.js?ver=

HTML / DOM Fingerprints

CSS Classes
football-pool-rankingfootball-pool-lastgamesfootball-pool-shoutboxfootball-pool-groupfootball-pool-next-predictionfootball-pool-user-profilefootball-pool-match-predictionsfootball-pool-score-table+1 more
HTML Comments
<!-- BEGIN FOOTBALL-POOL --><!-- END FOOTBALL-POOL --><!-- begin football-pool admin --><!-- end football-pool admin -->
Data Attributes
data-football-pool-match-iddata-football-pool-user-iddata-football-pool-league-iddata-football-pool-game-id
JS Globals
footballPoolfootballPoolAdmin
REST Endpoints
/wp-json/football-pool/v1/matches/wp-json/football-pool/v1/predictions/wp-json/football-pool/v1/scores
Shortcode Output
[football-pool-ranking][football-pool-lastgames][football-pool-shoutbox][football-pool-group]
FAQ

Frequently Asked Questions about Football Pool