Skip to main content

JoomSport EUVDEUVD-2026-41265

| CVE-2026-12134 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Wordfence GHSA-h398-fp2w-9mpg
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Requires subscriber-level authentication (PR:L); nonce is passively exposed so complexity is low (AC:L); impact is integrity-only on sports data with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:19 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 4.3

DescriptionCVE.org

The JoomSport - for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.

AnalysisAI

Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber-level WordPress account
Delivery
Load frontend page rendering a JoomSport shortcode
Exploit
Extract joomsportajaxnonce from page HTML source
Execution
Craft authenticated AJAX POST to season management endpoint
Impact
Create or overwrite season groups, participants, and round-type records

Vulnerability AssessmentAI

Exploitation Exploitation requires an active WordPress user account at subscriber level or higher on the target site - unauthenticated visitors cannot exploit this vulnerability, as the PR:L CVSS metric confirms. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 (Medium) score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately characterizes the risk envelope: network-reachable, low complexity, requires authenticated low-privilege access, and produces only limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running JoomSport (or uses an existing low-privilege account), then loads any public page where a JoomSport shortcode is rendered and extracts the `joomsportajaxnonce` value from the page HTML. Using this nonce and their session cookie, they craft authenticated AJAX POST requests to the season management endpoint to rename participant records, inject fictitious season groups, or alter round-type configurations - corrupting league standings or fixture data without any administrator interaction. …
Remediation A code fix has been committed to the plugin's trunk on WordPress Plugin Trac (changeset https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=), but a specific patched release version number is not confirmed in the available data - site owners should update to the latest available version via the WordPress plugin repository dashboard and verify the installed version exceeds 5.7.8. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy