[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZwrdhVBSXvLfoQztvOq7Z_6_9cpcbgRzCJXSS-VIZ9Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-42647","joomsport-for-sports-team-league-football-hockey-more-unauthenticated-sql-injection","JoomSport – for Sports: Team & League, Football, Hockey & more \u003C= 5.7.7 - Unauthenticated SQL Injection","The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","joomsport-sports-league-results-management",null,"\u003C=5.7.7","5.7.8","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-29 00:00:00","2026-05-04 13:57:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc2b9c6ab-28b4-49c7-9dc2-32bca81300f8?source=api-prod",6,[22,23,24,25,26,27],"includes\u002Fjoomsport-actions.php","includes\u002Fjoomsport-shortcodes.php","includes\u002Fmeta-boxes\u002Fjoomsport-meta-tournament.php","includes\u002Fpages\u002Fjoomsport-page-extrafields.php","joomsport.php","readme.txt","researched",false,3,"# Vulnerability Analysis: JoomSport – Unauthenticated SQL Injection (CVE-2026-42647)\n\n## 1. Vulnerability Summary\nThe JoomSport plugin (versions \u003C= 5.7.7) is vulnerable to an unauthenticated SQL injection. The vulnerability exists because the plugin fails to properly sanitize or prepare user-supplied parameters before incorporating them into SQL queries. Specifically, certain frontend features (likely related to live matches, standings, or matchday statistics) process input from `$_GET`, `$_POST`, or `$_REQUEST` and pass it into raw SQL queries or improperly used `$wpdb->prepare()` statements.\n\nThe severity is high (7.5) because an unauthenticated attacker can extract sensitive information from the database, including user credentials (password hashes) and secret keys.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (for AJAX-based injection) or any frontend page containing a JoomSport shortcode (for shortcode-attribute-based injection).\n- **Vulnerable Parameter:** Likely a parameter used for sorting or filtering, such as `orderby`, `order`, `md_id`, or `sid`.\n- **Authentication:** Unauthenticated (No login required).\n- **Preconditions:** The plugin must be active. For certain vectors, a specific shortcode (like `[jsStandings]` or `[jsMatches]`) might need to be present on a published page to trigger the vulnerable code path.\n\n## 3. Code Flow\n","The JoomSport plugin for WordPress is vulnerable to an unauthenticated SQL Injection via the 'sortf' parameter in the player list sorting logic. Attackers can escape the SQL backticks in the ORDER BY clause to execute arbitrary SQL commands and extract sensitive database information.","\u002F\u002F sportleague\u002Fclasses\u002Fobjects\u002Fclass-jsport-playerlist.php\n\nif (classJsportRequest::get('sortf')) {\n    $typeAD = in_array(classJsportRequest::get('sortd'), array(\"ASC\",\"DESC\"))?classJsportRequest::get('sortd'):\"ASC\";\n    $options['ordering'] = str_replace(\" \",\"\",sanitize_text_field(\"`\".classJsportRequest::get('sortf').\"`\")).' '.$typeAD;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjoomsport-sports-league-results-management\u002F5.7.6\u002Fsportleague\u002Fclasses\u002Fobjects\u002Fclass-jsport-playerlist.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjoomsport-sports-league-results-management\u002F5.7.8\u002Fsportleague\u002Fclasses\u002Fobjects\u002Fclass-jsport-playerlist.php\n@@ -37,11 +37,27 @@\n         global $jsDatabase;\n         $options['season_id'] = $this->season_id;\n \n+        $sortFieldEsc = 'post_title';\n+        $sortCols = array(\"played\", \"career_minutes\",\"post_title\");\n+\n         $link = classJsportLink::playerlist($this->season_id);\n         if (classJsportRequest::get('sortf')) {\n             $link .= '&sortf='.classJsportRequest::get('sortf');\n             $link .= '&sortd='.classJsportRequest::get('sortd');\n+\n+            $pattern = '\u002F^eventid_\\\\d+$\u002F';\n+\n+            if (in_array(classJsportRequest::get('sortf'), $sortCols)) {\n+                $sortFieldEsc = classJsportRequest::get('sortf');\n+            }\n+            if (preg_match('\u002F^eventid_\\\\d+$\u002F', classJsportRequest::get('sortf'))) {\n+                $sortFieldEsc = classJsportRequest::get('sortf');\n+            }\n+            if (preg_match('\u002F^ef_\\\\d+$\u002F', classJsportRequest::get('sortf'))) {\n+                $sortFieldEsc = classJsportRequest::get('sortf');\n+            }\n         }\n+\n         $pagination = new classJsportPagination($link);\n         $options['limit'] = $pagination->getLimit();\n         $options['offset'] = $pagination->getOffset();\n@@ -77,7 +93,7 @@\n         \u002F\u002F\n         if (classJsportRequest::get('sortf')) {\n             $typeAD = in_array(classJsportRequest::get('sortd'), array(\"ASC\",\"DESC\"))?classJsportRequest::get('sortd'):\"ASC\";\n-            $options['ordering'] = str_replace(\" \",\"\",sanitize_text_field(\"`\".classJsportRequest::get('sortf').\"`\")).' '.$typeAD;\n+            $options['ordering'] = str_replace(\" \",\"\",sanitize_text_field(\"`\".$sortFieldEsc.\"\\`\")).' '.$typeAD;\n         }\n \n         $players = classJsportgetplayers::getPlayersFromTeam($options);","The exploit targets the player list view, which can be reached via frontend pages utilizing the [jsMatchPlayerList] shortcode or similar functionality. An attacker sends a GET request to a page displaying a player list and includes a 'sortf' parameter containing a backtick to escape the wrapping backticks in the SQL query. For example, a payload like `sortf=post_title`,(SELECT(1)FROM(SELECT(SLEEP(5)))a) would cause the database to pause, confirming the injection. This requires no authentication and can be used to perform blind SQL injection to exfiltrate user hashes or other sensitive data.","gemini-3-flash-preview","2026-05-04 17:49:56","2026-05-04 17:51:08",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","5.7.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjoomsport-sports-league-results-management\u002Ftags\u002F5.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjoomsport-sports-league-results-management.5.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjoomsport-sports-league-results-management\u002Ftags\u002F5.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjoomsport-sports-league-results-management.5.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjoomsport-sports-league-results-management\u002Ftags"]