Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-exploitable by any authenticated subscriber with no complexity barrier; impact is integrity-only (group record deletion), with no confidentiality or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The JoomSport - for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.
AnalysisAI
Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum Subscriber-level access - the default role assigned on sites with open user registration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 Medium vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) is internally consistent with the description and accurately represents the constrained impact: the attack is network-reachable with low complexity, but requires at minimum a Subscriber-level WordPress account (PR:L), and the consequence is limited to integrity degradation of sports group records with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a public-facing sports club or league website running JoomSport 5.7.8, then obtains a valid WordPress nonce from the authenticated session context. The attacker sends a crafted AJAX POST request to wp-admin/admin-ajax.php with the action parameter set to joomsport_season_groupdel and an arbitrary group ID, causing the plugin to execute an unguarded DELETE query that permanently removes the targeted group record. … |
| Remediation | Upstream fix available (SVN changeset revision 3581673 committed to the WordPress plugin repository trunk); however, the exact released patched version number is not independently confirmed in the provided data - administrators should update the JoomSport plugin to the latest version available in the WordPress plugin directory and verify the version exceeds 5.7.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Joomsport For Sports
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40887
GHSA-rqx7-vhrr-mqm2