JoomSport – for Sports: Team & League, Football, Hockey & more <= 5.7.7 - Unauthenticated SQL Injection
Description
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=5.7.7What Changed in the Fix
Changes introduced in v5.7.8
Source Code
WordPress.org SVN# Vulnerability Analysis: JoomSport – Unauthenticated SQL Injection (CVE-2026-42647) ## 1. Vulnerability Summary The JoomSport plugin (versions <= 5.7.7) is vulnerable to an unauthenticated SQL injection. The vulnerability exists because the plugin fails to properly sanitize or prepare user-supplie…
Show full research plan
Vulnerability Analysis: JoomSport – Unauthenticated SQL Injection (CVE-2026-42647)
1. Vulnerability Summary
The JoomSport plugin (versions <= 5.7.7) is vulnerable to an unauthenticated SQL injection. The vulnerability exists because the plugin fails to properly sanitize or prepare user-supplied parameters before incorporating them into SQL queries. Specifically, certain frontend features (likely related to live matches, standings, or matchday statistics) process input from $_GET, $_POST, or $_REQUEST and pass it into raw SQL queries or improperly used $wpdb->prepare() statements.
The severity is high (7.5) because an unauthenticated attacker can extract sensitive information from the database, including user credentials (password hashes) and secret keys.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php(for AJAX-based injection) or any frontend page containing a JoomSport shortcode (for shortcode-attribute-based injection). - Vulnerable Parameter: Likely a parameter used for sorting or filtering, such as
orderby,order,md_id, orsid. - Authentication: Unauthenticated (No login required).
- Preconditions: The plugin must be active. For certain vectors, a specific shortcode (like
[jsStandings]or[jsMatches]) might need to be present on a published page to trigger the vulnerable code path.
3. Code Flow
Summary
The JoomSport plugin for WordPress is vulnerable to an unauthenticated SQL Injection via the 'sortf' parameter in the player list sorting logic. Attackers can escape the SQL backticks in the ORDER BY clause to execute arbitrary SQL commands and extract sensitive database information.
Vulnerable Code
// sportleague/classes/objects/class-jsport-playerlist.php if (classJsportRequest::get('sortf')) { $typeAD = in_array(classJsportRequest::get('sortd'), array("ASC","DESC"))?classJsportRequest::get('sortd'):"ASC"; $options['ordering'] = str_replace(" ","",sanitize_text_field("`".classJsportRequest::get('sortf')."`")).' '.$typeAD; }
Security Fix
@@ -37,11 +37,27 @@ global $jsDatabase; $options['season_id'] = $this->season_id; + $sortFieldEsc = 'post_title'; + $sortCols = array("played", "career_minutes","post_title"); + $link = classJsportLink::playerlist($this->season_id); if (classJsportRequest::get('sortf')) { $link .= '&sortf='.classJsportRequest::get('sortf'); $link .= '&sortd='.classJsportRequest::get('sortd'); + + $pattern = '/^eventid_\\d+$/'; + + if (in_array(classJsportRequest::get('sortf'), $sortCols)) { + $sortFieldEsc = classJsportRequest::get('sortf'); + } + if (preg_match('/^eventid_\\d+$/', classJsportRequest::get('sortf'))) { + $sortFieldEsc = classJsportRequest::get('sortf'); + } + if (preg_match('/^ef_\\d+$/', classJsportRequest::get('sortf'))) { + $sortFieldEsc = classJsportRequest::get('sortf'); + } } + $pagination = new classJsportPagination($link); $options['limit'] = $pagination->getLimit(); $options['offset'] = $pagination->getOffset(); @@ -77,7 +93,7 @@ // if (classJsportRequest::get('sortf')) { $typeAD = in_array(classJsportRequest::get('sortd'), array("ASC","DESC"))?classJsportRequest::get('sortd'):"ASC"; - $options['ordering'] = str_replace(" ","",sanitize_text_field("`".classJsportRequest::get('sortf')."`")).' '.$typeAD; + $options['ordering'] = str_replace(" ","",sanitize_text_field("`".$sortFieldEsc."\`")).' '.$typeAD; } $players = classJsportgetplayers::getPlayersFromTeam($options);
Exploit Outline
The exploit targets the player list view, which can be reached via frontend pages utilizing the [jsMatchPlayerList] shortcode or similar functionality. An attacker sends a GET request to a page displaying a player list and includes a 'sortf' parameter containing a backtick to escape the wrapping backticks in the SQL query. For example, a payload like `sortf=post_title`,(SELECT(1)FROM(SELECT(SLEEP(5)))a) would cause the database to pause, confirming the injection. This requires no authentication and can be used to perform blind SQL injection to exfiltrate user hashes or other sensitive data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.