CRITICAL🇵🇱 Wersja polska

CVE-2025-7721

CVSS 9.8v3.1pub. 2025-10-03upd. 2026-04-15

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

🤖 AI Analysis
How it works

The vulnerability (CWE-98: PHP Remote File Inclusion) results from insufficient validation of the task parameter value passed by the user in the class-jsport-controller.php class. An attacker can use a specially crafted HTTP request to point to any .php file present on the server, which will then be included and executed by the PHP interpreter. In a scenario where the attacker has the ability to previously upload a .php file to the server (e.g., through an upload mechanism), this vulnerability leads directly to remote code execution (RCE).

Impact

An unauthenticated attacker can execute arbitrary PHP code on the server, bypass access control mechanisms, and gain access to sensitive data. Under favorable conditions, complete server takeover is possible.

Mitigation & patch

The JoomSport plugin must be immediately updated to a version higher than 5.7.3. The patch is available in the WordPress repository under changeset 3371353. Until the update is applied, it is recommended to deactivate the plugin on production sites.

Who is affected

JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress in all versions up to and including 5.7.3.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References