Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Requires subscriber-level authentication (PR:L); nonce is passively exposed so complexity is low (AC:L); impact is integrity-only on sports data with no confidentiality or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The JoomSport - for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.
AnalysisAI
Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active WordPress user account at subscriber level or higher on the target site - unauthenticated visitors cannot exploit this vulnerability, as the PR:L CVSS metric confirms. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 (Medium) score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately characterizes the risk envelope: network-reachable, low complexity, requires authenticated low-privilege access, and produces only limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running JoomSport (or uses an existing low-privilege account), then loads any public page where a JoomSport shortcode is rendered and extracts the `joomsportajaxnonce` value from the page HTML. Using this nonce and their session cookie, they craft authenticated AJAX POST requests to the season management endpoint to rename participant records, inject fictitious season groups, or alter round-type configurations - corrupting league standings or fixture data without any administrator interaction. … |
| Remediation | A code fix has been committed to the plugin's trunk on WordPress Plugin Trac (changeset https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=), but a specific patched release version number is not confirmed in the available data - site owners should update to the latest available version via the WordPress plugin repository dashboard and verify the installed version exceeds 5.7.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Joomsport For Sports
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41265
GHSA-h398-fp2w-9mpg