JoomSport < 5.2.8 - Unauthenticated SQLi
Description
JoomSport plugin before 5.2.8 has an unauthenticated SQL injection vulnerability due to improper sanitization of a parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JoomSport plugin before 5.2.8 has an unauthenticated SQL injection vulnerability due to improper sanitization of a parameter.
Vulnerability
The JoomSport WordPress plugin for sports league results management before version 5.2.8 fails to properly sanitize and escape a parameter before using it in a SQL statement. This allows an unauthenticated attacker to inject arbitrary SQL queries. [1]
Exploitation
An attacker can exploit this vulnerability without any authentication by sending a crafted request containing malicious SQL in the vulnerable parameter. The exact parameter is not publicly disclosed, but a proof of concept exists. [1]
Impact
Successful exploitation allows an attacker to read, modify, or delete arbitrary data in the WordPress database, potentially leading to complete site compromise, including user credential theft, file manipulation, and privilege escalation. [1]
Mitigation
The vulnerability is fixed in version 5.2.8. Users should update immediately. No workaround is available. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/JoomSportdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and escaping of a parameter before use in a SQL statement allows unauthenticated SQL injection."
Attack vector
An unauthenticated attacker can inject malicious SQL by sending a crafted HTTP request to the JoomSport plugin. The plugin fails to properly sanitize and escape a parameter before incorporating it into a SQL query [ref_id=1]. This allows the attacker to manipulate the query to extract, modify, or delete database content. The vulnerability is classified as CWE-89 (SQL Injection) and is exploitable without any authentication [ref_id=1].
Affected code
The advisory does not specify the exact file or function name within the JoomSport plugin that contains the vulnerability [ref_id=1]. The vulnerable parameter is not named in the available references.
What the fix does
The advisory states the vulnerability is fixed in version 5.2.8 of the JoomSport plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably involves proper sanitization and parameterized queries or escaping of the vulnerable parameter before it is used in the SQL statement. Users should update to version 5.2.8 or later to remediate the issue.
Preconditions
- networkThe attacker must be able to send HTTP requests to the WordPress site running the vulnerable plugin.
- inputThe attacker must craft a malicious SQL payload in the unsanitized parameter.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912fmitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.