Skip to main content

Sportspress Pro

1 CVEs product

Monthly

CVE-2026-57749 HIGH This Week

Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.

LFI Information Disclosure PHP Sportspress Pro
NVD
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.

LFI Information Disclosure PHP +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy