Skip to main content

JoomSport CVE-2026-12133

| EUVDEUVD-2026-40887 MEDIUM
Missing Authorization (CWE-862)
2026-07-01 Wordfence GHSA-rqx7-vhrr-mqm2
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-exploitable by any authenticated subscriber with no complexity barrier; impact is integrity-only (group record deletion), with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:31 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 4.3

DescriptionCVE.org

The JoomSport - for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.

AnalysisAI

Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Subscriber-level WordPress account
Delivery
Retrieve valid nonce from authenticated session
Exploit
Craft AJAX POST to wp-admin/admin-ajax.php with joomsport_season_groupdel action
Install
Supply attacker-controlled group ID in request body
C2
Handler validates nonce but skips capability check
Execute
DELETE query executes against target group record
Impact
JoomSport group data permanently destroyed

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum Subscriber-level access - the default role assigned on sites with open user registration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 Medium vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) is internally consistent with the description and accurately represents the constrained impact: the attack is network-reachable with low complexity, but requires at minimum a Subscriber-level WordPress account (PR:L), and the consequence is limited to integrity degradation of sports group records with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a public-facing sports club or league website running JoomSport 5.7.8, then obtains a valid WordPress nonce from the authenticated session context. The attacker sends a crafted AJAX POST request to wp-admin/admin-ajax.php with the action parameter set to joomsport_season_groupdel and an arbitrary group ID, causing the plugin to execute an unguarded DELETE query that permanently removes the targeted group record. …
Remediation Upstream fix available (SVN changeset revision 3581673 committed to the WordPress plugin repository trunk); however, the exact released patched version number is not independently confirmed in the provided data - administrators should update the JoomSport plugin to the latest version available in the WordPress plugin directory and verify the version exceeds 5.7.8. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy