JoomSport

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Basic Information

ID CVE-2025-7721

Source Wordfence

Published Oct 3, 2025 at 11:17

Affected Product

Vendor beardev

Product JoomSport – for Sports: Team & League, Football, Hockey & more

Version *

Affected Versions beardev JoomSport – for Sports: Team & League, Football, Hockey & more *

CWE Classification

CWE-98

References

{
    "lastseen": "",
    "description": "The JoomSport \u2013 for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.",
    "published": "2025-10-03T11:17:11.999Z",
    "modified": "2025-10-03T11:17:11.999Z",
    "type": "cve",
    "title": "JoomSport <= 5.7.3 - Unauthenticated Directory Traversal to Local File Inclusion",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f3900c7-2acb-4031-9854-b0b13e172e1f?source=cve\nhttps://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/sportleague/base/wordpress/classes/class-jsport-controller.php#L74\nhttps://plugins.trac.wordpress.org/changeset/3371353/",
    "id": "CVE-2025-7721",
    "bulletinFamily": "",
    "cwe": [
        "CWE-98"
    ],
    "cvelist": null,
    "sourceData": "beardev JoomSport \u2013 for Sports: Team & League, Football, Hockey & more *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "JoomSport \u2013 for Sports: Team & League, Football, Hockey & more",
    "version": "*",
    "vendor": "beardev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

JoomSport <= 5.7.3 - Unauthenticated Directory Traversal to Local File Inclusion_CVE-2025-7721