SportsPress < 2.7.9 - Reflected Cross-Site Scripting
Description
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/SportsPress plugindescription
- Range: < 2.7.9
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of the match_day parameter before reflecting it back in the Events backend page."
Attack vector
An attacker can craft a URL containing a malicious payload in the `match_day` parameter and trick a logged-in administrator into visiting it. The plugin fails to sanitize or escape this parameter before reflecting it back on the Events backend page [ref_id=1]. This allows the attacker to inject arbitrary JavaScript that executes in the context of the victim's admin session, potentially leading to session hijacking or administrative actions [CWE-79].
Affected code
The vulnerability exists in the SportsPress WordPress plugin's Events backend page. The `match_day` parameter is output back without sanitization or escaping. The advisory does not specify exact file or function names, but the issue is in the administrative event management interface.
What the fix does
The advisory states the issue is fixed in version 2.7.9 of the SportsPress plugin [ref_id=1]. The patch is not shown in the bundle, but the fix would involve properly sanitizing and escaping the `match_day` parameter before outputting it in the Events backend page, preventing reflected XSS.
Preconditions
- inputThe attacker must trick a logged-in WordPress administrator into visiting a crafted URL containing the malicious match_day parameter.
- configThe target site must be running a version of SportsPress prior to 2.7.9.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/69351798-c790-42d4-9485-1813cd325769mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.