WP-Safety

MSTW League Manager Security & Risk Analysis

wordpress.org/plugins/mstw-league-manager

Manages multiple sports leagues and seasons. Displays schedules and standings in multiple formats.

100 active installs v2.10 PHP 5.5+ WP 4.9.1+ Updated Nov 19, 2024
leaguesschedulessportsstandingsteams
48
D · High Risk
CVEs total2
Unpatched2
Last CVEApr 2, 2026
Plugin page Download
Safety Verdict

Is MSTW League Manager Safe to Use in 2026?

High Risk

Score 48/100

MSTW League Manager carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Apr 2, 2026Updated 1yr ago
Risk Assessment

The "mstw-league-manager" v2.10 plugin exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers and a lack of proper input sanitization for file operations. While the plugin avoids dangerous functions and external HTTP requests, the presence of raw SQL queries and a low percentage of properly escaped output outputs indicate potential vulnerabilities that could be exploited. The historical vulnerability data, which includes a medium-severity CVE, suggests a recurring pattern of security weaknesses. Despite some good practices like the use of capability checks and nonces in a limited capacity, the overall risk is elevated by the unprotected entry points and the critical findings in the taint analysis.

Key Concerns

  • Unprotected AJAX handlers
  • SQL queries not using prepared statements
  • Low percentage of properly escaped output
  • Flows with unsanitized paths
  • Unpatched CVE (medium severity)
Vulnerabilities
2

MSTW League Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-34890medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MSTW League Manager <= 2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 2, 2026Unpatched
CVE-2025-58852medium · 4.3Cross-Site Request Forgery (CSRF)

MSTW League Manager <= 2.10 - Cross-Site Request Forgery

Sep 5, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

MSTW League Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
250
70 escaped
Nonce Checks
3
Capability Checks
7
File Operations
11
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

22% escaped320 total outputs
Data Flows
21 unsanitized

Data Flow Analysis

23 flows21 with unsanitized paths
post (includes\mstw-lm-csv-import-class-with-time-adjust.php:305)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

MSTW League Manager Attack Surface

Entry Points20
Unprotected7

AJAX Handlers 7

authwp_ajax_manage_gamesmstw-league-manager.php:261
authwp_ajax_multi_leaguemstw-league-manager.php:266
noprivwp_ajax_multi_leaguemstw-league-manager.php:267
authwp_ajax_multi_schedulemstw-league-manager.php:272
noprivwp_ajax_multi_schedulemstw-league-manager.php:273
authwp_ajax_multi_team_schedulemstw-league-manager.php:278
noprivwp_ajax_multi_team_schedulemstw-league-manager.php:279

Shortcodes 13

[mstw_league_schedule_2] includes\mstw-lm-league-schedule-class.php:27
[mstw_league_schedule_slider] includes\mstw-lm-league-slider-class.php:30
[mstw_league_schedule_ticker] includes\mstw-lm-league-slider-class.php:32
[mstw_multi_schedule_table] includes\mstw-lm-multi-schedule-table-class.php:208
[mstw_multi_league_standings] includes\mstw-lm-multi-standings-table.php:30
[mstw_multi_team_schedule] includes\mstw-lm-multi-team-schedule-class.php:444
[mstw_league_schedule_gallery] includes\mstw-lm-schedule-gallery.php:33
[mstw_league_schedule_gallery_2] includes\mstw-lm-schedule-gallery.php:34
[mstw_league_schedule_table] includes\mstw-lm-schedule-table.php:30
[mstw_league_standings] includes\mstw-lm-standings-table.php:30
[mstw_team_schedule] includes\mstw-lm-team-schedule.php:30
[mstw_team_schedule_2] includes\mstw-lm-team-schedule.php:33
[mstw_location_table] includes\mstw-lm-venue-table.php:31
WordPress Hooks 71
actionsave_post_mstw_lm_gameincludes\mstw-lm-add-games-class.php:792
actionadmin_enqueue_scriptsincludes\mstw-lm-admin.php:39
actionedit_user_profile_updateincludes\mstw-lm-admin.php:45
actionuser_registerincludes\mstw-lm-admin.php:46
actionprofile_updateincludes\mstw-lm-admin.php:47
actiondelete_term_taxonomyincludes\mstw-lm-admin.php:51
actionadmin_menuincludes\mstw-lm-admin.php:55
filterpost_updated_messagesincludes\mstw-lm-admin.php:58
filterbulk_post_updated_messagesincludes\mstw-lm-admin.php:61
actionadmin_head-post.phpincludes\mstw-lm-admin.php:64
actionadmin_head-post-new.phpincludes\mstw-lm-admin.php:65
actionadmin_head-edit.phpincludes\mstw-lm-admin.php:68
filterpost_row_actionsincludes\mstw-lm-admin.php:74
filterbulk_actions-edit-mstw_lm_teamincludes\mstw-lm-admin.php:77
filterhandle_bulk_actions-edit-mstw_lm_teamincludes\mstw-lm-admin.php:78
filterbulk_actions-edit-mstw_lm_gameincludes\mstw-lm-admin.php:80
filterbulk_actions-edit-mstw_lm_venueincludes\mstw-lm-admin.php:81
filterbulk_actions-edit-mstw_lm_recordincludes\mstw-lm-admin.php:82
filterbulk_actions-edit-mstw_lm_leagueincludes\mstw-lm-admin.php:85
filterterm_updated_messagesincludes\mstw-lm-admin.php:90
actionload-edit-tags.phpincludes\mstw-lm-admin.php:838
actionload-edit.phpincludes\mstw-lm-admin.php:873
actionload-post.phpincludes\mstw-lm-admin.php:874
actionload-post-new.phpincludes\mstw-lm-admin.php:875
actionload-edit.phpincludes\mstw-lm-admin.php:890
actionload-post.phpincludes\mstw-lm-admin.php:891
actionload-post-new.phpincludes\mstw-lm-admin.php:892
actionload-edit.phpincludes\mstw-lm-admin.php:949
actionload-post.phpincludes\mstw-lm-admin.php:950
actionload-post-new.phpincludes\mstw-lm-admin.php:951
actionadmin_initincludes\mstw-lm-admin.php:1465
actionwp_dashboard_setupincludes\mstw-lm-admin.php:1584
actionedit_form_after_titleincludes\mstw-lm-game-cpt-admin.php:27
actionadd_meta_boxes_mstw_lm_gameincludes\mstw-lm-game-cpt-admin.php:48
actionsave_post_mstw_lm_gameincludes\mstw-lm-game-cpt-admin.php:455
filtermanage_edit-mstw_lm_game_columnsincludes\mstw-lm-game-cpt-admin.php:737
actionmanage_mstw_lm_game_posts_custom_columnincludes\mstw-lm-game-cpt-admin.php:765
filtermanage_edit-mstw_lm_game_sortable_columnsincludes\mstw-lm-game-cpt-admin.php:948
filterrequestincludes\mstw-lm-game-cpt-admin.php:962
actionrestrict_manage_postsincludes\mstw-lm-game-cpt-admin.php:989
actionrestrict_manage_postsincludes\mstw-lm-game-cpt-admin.php:1036
filterparse_queryincludes\mstw-lm-game-cpt-admin.php:1149
filterparse_queryincludes\mstw-lm-game-cpt-admin.php:1178
filterget_league_schedule_slider_instanceincludes\mstw-lm-league-slider-class.php:28
filtermstw_lm_league_row_actionsincludes\mstw-lm-league-tax-admin.php:27
actionmstw_lm_league_add_form_fieldsincludes\mstw-lm-league-tax-admin.php:46
actionmstw_lm_league_edit_form_fieldsincludes\mstw-lm-league-tax-admin.php:47
filtermanage_edit-mstw_lm_league_columnsincludes\mstw-lm-league-tax-admin.php:145
filtermanage_mstw_lm_league_custom_columnincludes\mstw-lm-league-tax-admin.php:168
actionedited_mstw_lm_leagueincludes\mstw-lm-league-tax-admin.php:214
actioncreate_mstw_lm_leagueincludes\mstw-lm-league-tax-admin.php:216
filterget_multi_schedule_table_instanceincludes\mstw-lm-multi-schedule-table-class.php:27
filterget_multi_schedule_table_instanceincludes\mstw-lm-multi-team-schedule-class.php:27
actionwp_loadedincludes\mstw-lm-multi-team-schedule-class.php:437
actionsave_post_mstw_lm_gameincludes\mstw-lm-seasons-admin.php:534
actionadd_meta_boxes_mstw_lm_teamincludes\mstw-lm-team-cpt-admin.php:44
actionsave_post_mstw_lm_teamincludes\mstw-lm-team-cpt-admin.php:334
filtermanage_edit-mstw_lm_team_columnsincludes\mstw-lm-team-cpt-admin.php:397
actionmanage_mstw_lm_team_posts_custom_columnincludes\mstw-lm-team-cpt-admin.php:442
actionrestrict_manage_postsincludes\mstw-lm-team-cpt-admin.php:557
actionadd_meta_boxes_mstw_lm_venueincludes\mstw-lm-venue-cpt-admin.php:28
actionsave_post_mstw_lm_venueincludes\mstw-lm-venue-cpt-admin.php:133
filtermanage_edit-mstw_lm_venue_columnsincludes\mstw-lm-venue-cpt-admin.php:201
actionmanage_mstw_lm_venue_posts_custom_columnincludes\mstw-lm-venue-cpt-admin.php:227
actionrestrict_manage_postsincludes\mstw-lm-venue-cpt-admin.php:327
actioninitmstw-league-manager.php:124
actionwp_enqueue_scriptsmstw-league-manager.php:235
actionplugins_loadedmstw-league-manager.php:242
filtersingle_templatemstw-league-manager.php:299
filtertaxonomy_templatemstw-league-manager.php:314
filtermstw_lm_sports_listmstw-league-manager.php:474
Maintenance & Trust

MSTW League Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedNov 19, 2024
PHP min version5.5
Downloads13K

Community Trust

Rating96/100
Number of ratings4
Active installs100
Alternatives

MSTW League Manager Alternatives

MSTW Schedule Builder

MSTW Schedule Builder

mstw-schedule-builder

A
92

Builds round-robin games schedules for teams, leagues & tournaments created in the MSTW League Manager plugin.

10 No CVEs
WP Club Manager – WordPress Sports Club Plugin

WP Club Manager – WordPress Sports Club Plugin

wp-club-manager

A
90

WP Club Manager is easy to set-up and has everything you need to build and manage an amazing sports club website.

700 3 CVEs
CyberPress

CyberPress

cyberpress

A
100

Manage eSport Tournaments, Matches, Teams and Players.

200 No CVEs
Team Rosters

Team Rosters

team-rosters

B
72

Manages multiple team rosters. Creates roster tables, player galleries, and player profile pages.

200 1 unpatched
Sportsteam Widget – Football livescore

Sportsteam Widget – Football livescore

sportsteam-widget

A
92

A widget that shows the next match of a team.

100 No CVEs
Developer Profile

MSTW League Manager Developer Profile

Mark O'Donnell

7 plugins · 550 total installs

66
trust score
Avg Security Score
81/100
Avg Patch Time
158 days
View full developer profile
Detection Fingerprints

How We Detect MSTW League Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mstw-league-manager/css/mstw-lm-admin.css/wp-content/plugins/mstw-league-manager/css/mstw-lm-styles.css/wp-content/plugins/mstw-league-manager/css/mstw-lm-team-schedule-styles.css/wp-content/plugins/mstw-league-manager/css/mstw-lm-league-schedule-styles.css/wp-content/plugins/mstw-league-manager/css/mstw-lm-schedule-gallery-styles.css/wp-content/plugins/mstw-league-manager/css/mstw-lm-admin-schedule-edit-styles.css/wp-content/plugins/mstw-league-manager/js/mstw-lm-admin.js/wp-content/plugins/mstw-league-manager/js/mstw-lm-teams.js+3 more
Script Paths
/wp-content/plugins/mstw-league-manager/js/mstw-lm-admin.js/wp-content/plugins/mstw-league-manager/js/mstw-lm-teams.js/wp-content/plugins/mstw-league-manager/js/mstw-lm-leagues.js/wp-content/plugins/mstw-league-manager/js/mstw-lm-schedule-edit.js/wp-content/plugins/mstw-league-manager/js/mstw-lm-schedule-gallery.js
Version Parameters
mstw-league-manager/css/mstw-lm-admin.css?ver=mstw-league-manager/css/mstw-lm-styles.css?ver=mstw-league-manager/css/mstw-lm-team-schedule-styles.css?ver=mstw-league-manager/css/mstw-lm-league-schedule-styles.css?ver=mstw-league-manager/css/mstw-lm-schedule-gallery-styles.css?ver=mstw-league-manager/css/mstw-lm-admin-schedule-edit-styles.css?ver=mstw-league-manager/js/mstw-lm-admin.js?ver=mstw-league-manager/js/mstw-lm-teams.js?ver=mstw-league-manager/js/mstw-lm-leagues.js?ver=mstw-league-manager/js/mstw-lm-schedule-edit.js?ver=mstw-league-manager/js/mstw-lm-schedule-gallery.js?ver=

HTML / DOM Fingerprints

CSS Classes
mstw-lm-admin-noticemstw-lm-team-datamstw-lm-league-datamstw-lm-schedule-tablemstw-lm-league-schedulemstw-lm-schedule-gallerymstw-lm-schedule-edit-form
HTML Comments
<!-- MSTW League Manager: Begin Team Edit Form --><!-- MSTW League Manager: Begin League Edit Form --><!-- MSTW League Manager: Begin Schedule Edit Form --><!-- MSTW League Manager: End Schedule Edit Form -->+4 more
Data Attributes
data-mstw-lm-team-iddata-mstw-lm-league-iddata-mstw-lm-schedule-id
JS Globals
mstw_lm_admin_optionsmstw_lm_teams_optionsmstw_lm_leagues_optionsmstw_lm_schedule_edit_optionsmstw_lm_schedule_gallery_options
REST Endpoints
/wp-json/mstw-league-manager/v1/teams/wp-json/mstw-league-manager/v1/leagues/wp-json/mstw-league-manager/v1/schedules
Shortcode Output
[mstw_lm_team][mstw_lm_league][mstw_lm_schedule_table][mstw_lm_multi_schedule_table]
FAQ

Frequently Asked Questions about MSTW League Manager