Critical severity9.3NVD Advisory· Published Jun 11, 2026No known patch

CVE-2026-42647

No known patch is available for this vulnerability.

The affected plugin has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2026-42647

Description

Improper neutralization in JoomSport plugin allows unauthenticated blind SQL injection, leading to database compromise and data theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper neutralization in JoomSport plugin allows unauthenticated blind SQL injection, leading to database compromise and data theft.

Vulnerability

A blind SQL injection vulnerability exists in Beardev JoomSport, a WordPress plugin for sports league management. The issue is due to improper neutralization of special elements used in an SQL command. Versions from n/a through 5.7.7 are affected [1]. The vulnerable code path is reachable without authentication, making it available to any visitor to a site running the plugin.

Exploitation

An attacker needs only network access to the WordPress site; no authentication or special privileges are required. By crafting a malicious input in a parameter that is not properly sanitized, the attacker can inject SQL commands. Because it is a blind SQL injection, the attacker may need to observe response timing or boolean-based differences to extract data, but automation tools can easily exploit this [1].

Impact

Successful exploitation allows the attacker to directly interact with the database. This can lead to extraction of sensitive information (e.g., user credentials, private data), modification of database content, or potential elevation of privileges. The CVSS v3 score is 9.3 (Critical) and the vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in mass campaigns [1].

Mitigation

The vendor has released version 5.7.8 which resolves the vulnerability. Users must update to version 5.7.8 or later immediately [1]. For those unable to update immediately, Patchstack provides a mitigation rule that blocks attacks until the plugin is updated. The vulnerability is under active exploitation, so urgent action is recommended [1].

References

SQL Injection in WordPress JoomSport Plugin

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Joomsport Sports League Results Managementinferred
Range: <=5.7.7
Package: https://wordpress.org/plugins/joomsport-sports-league-results-management
WordPress/JoomSportllm-fuzzy
Range: <=5.7.7

Patches

Plugin abandonedJoomSport – for Sports: Team & League, Football, Hockey & morejoomsport-sports-league-results-management

This plugin appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.

Source: api.wordpress.org · directory page

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.605
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000