What is the CVSS score of EUVD-2026-36359?

EUVD-2026-36359 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 5.2%.

Which versions of JoomSport are affected by EUVD-2026-36359?

Beardev JoomSport WordPress plugin through version 5.7.7 contains a critical SQL injection vulnerability (CVSS 9.3) exploitable by unauthenticated remote attackers, creating direct risk of database…

Is there a public PoC exploit available for EUVD-2026-36359?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36359. Prioritise patching immediately. EPSS: 5.2%.

How to fix or mitigate EUVD-2026-36359?

Within 24 hours: Inventory all WordPress installations using Beardev JoomSport plugin and identify instances running version 5.7.7 or earlier; assess criticality of plugin to business operations. Within 7 days: Disable or remove the plugin if operationally feasible; if critical, deploy Web Application Firewall rules to block SQL injection patterns targeting the plugin. Within 30 days: Monitor Beardev and Patchstack security advisories for patch availability; apply patch immediately upon vendor release.

JoomSport EUVD-2026-36359

| CVE-2026-42647 CRITICAL

SQL Injection (CWE-89)

2026-06-11 Patchstack

GHSA-2369-78ph-422f

SQLi Joomsport

9.3

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

vuln.today AI

9.1 CRITICAL

Network-reachable WordPress plugin, no auth or interaction (PR:N/UI:N/AC:L); SQLi typically yields full read and write of plugin/WordPress data (C:H/I:H), with scope unchanged within the DB context.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Jun 11, 2026 - 21:52 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.

This issue affects JoomSport: from n/a through 5.7.7.

Articles & Coverage 1

POC CVE-2026-42647: Unauthenticated Time-Based Blind SQL Injection in JoomSport WordPress Plugin via sortf Parameter Jun 13, 2026

AnalysisAI

Blind SQL injection in Beardev JoomSport (WordPress plugin) through version 5.7.7 allows remote unauthenticated attackers to inject crafted SQL into backend database queries. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality exposure and partial availability impact, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running JoomSport ≤5.7.7

Delivery

Probe plugin endpoints for injectable parameter

Exploit

Send crafted blind SQLi payload

Execution

Infer database contents via boolean/time channels

Persist

Exfiltrate user hashes and secrets

Impact

Pivot to admin account takeover

Access

Identify WordPress site running JoomSport ≤5.7.7

Delivery

Probe plugin endpoints for injectable parameter

Exploit

Send crafted blind SQLi payload

Execution

Infer database contents via boolean/time channels

Persist

Exfiltrate user hashes and secrets

Impact

Pivot to admin account takeover

Vulnerability AssessmentAI

Exploitation	The target WordPress site must have the Beardev JoomSport plugin installed and activated at version 5.7.7 or earlier, with the vulnerable plugin endpoint reachable over HTTP/HTTPS by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L indicates a network-reachable, low-complexity, unauthenticated attack with scope change and high confidentiality impact - a realistic priority for any WordPress site running the plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker scans WordPress sites for the JoomSport plugin, then sends a crafted HTTP GET or POST request to a vulnerable plugin endpoint embedding a blind SQL payload (boolean or time-based) into a parameter consumed by an unsanitised query. By iterating queries and observing response differences or delays, the attacker exfiltrates wp_users password hashes, session tokens, or arbitrary database content. …
Remediation	Upgrade JoomSport to a version newer than 5.7.7 once the vendor publishes a fix; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerability for the patched release number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Beardev JoomSport plugin and identify instances running version 5.7.7 or earlier; assess criticality of plugin to business operations. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-36359 vulnerability details – vuln.today

Back

JoomSport EUVD-2026-36359

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code