CVE-2026-42647 Scanner

The JoomSport Sports League plugin is a widely used WordPress tool designed for managing sports leagues. Developed by BearDev, it allows administrators to manage players, teams, and fixtures seamlessly. The plugin is particularly popular among community sports organizations, local clubs, and amateur leagues aiming to streamline their operations. Its integration with WordPress provides ease of use to non-technical users looking to maintain a sports website efficiently. Regular updates by the developers ensure its functionality aligns with user needs and WordPress platform updates. As one of the comprehensive plugins in the sports domain, it supports a range of sports types and configurations.

The SQL Injection vulnerability found in the JoomSport WordPress plugin affects the player list view. Specifically, it is a time-based blind SQL injection that can be exploited via the 'sortf' GET parameter. This vulnerability allows attackers to inject SQL commands that are executed by the database. Since it leverages the ORDER BY clause, it can manipulate how data is sorted and displayed. An attacker does not need to authenticate to exploit this vulnerability, making it particularly severe. Time-based blind injection means the payload execution is determined by response time to identify if SQL commands are successful.

The vulnerability stems from insufficient input validation where the 'sortf' parameter in the HTTP request can be manipulated. Without proper sanitation, this parameter's value is concatenated directly into an SQL ORDER BY clause within the SQL query. The query execution can impact database operation by allowing unauthorized extraction of sensitive data. The endpoint susceptible to this attack is commonly aimed at retrieving sorted player lists, making it essential for sports league management. By abusing this endpoint, an attacker can infer database structure and extract critical information. This exploitation doesn't require user interaction beyond sending crafted requests.

Exploiting the SQL Injection vulnerability can lead to severe security issues, including unauthorized access to sensitive database information. Attackers could retrieve data such as admin credentials, user emails, and plugin-stored secrets. If left unpatched, the vulnerability could potentially be used to manipulate or steal data, leading to loss of privacy, data corruption, or even control over the WordPress site. Organizations could face reputational damage and loss of trust from users. Additionally, exploiting this vulnerability may lead to further chain exploits within the web application environment or server.

REFERENCES

• https://patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerability
• https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.5/sportleague/base/wordpress/classes/class-jsport-getplayers.php#L153
• https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.5/sportleague/classes/objects/class-jsport-playerlist.php#L80
• https://nvd.nist.gov/vuln/detail/CVE-2026-42647