Description
The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-06-19
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Stored)
Action: Immediate Patch
AI Analysis

Impact

The Football Pool plugin for WordPress has a stored cross‑site scripting flaw that allows any authenticated user with administrative or higher privileges to insert arbitrary JavaScript via the plugin’s admin settings. Because the input is not properly sanitized or escaped, the injected script runs whenever a page containing the stored data is viewed by any user. This can enable session hijacking, credential theft, or defacement of the site. The weakness is a classic input validation failure (CWE‑79).

Affected Systems

All installations of the Football Pool plugin from any version up to and including 2.12.4, for which the WordPress installation is a multi‑site network and the unfiltered_html capability is disabled. The affected product is the WordPress plugin Football Pool published by the vendor antoineh.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS score is below 1 %, suggesting that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate as an administrator or higher level and then use the plugin’s configuration interface to inject the malicious payload. Once injected, the payload will execute for all users who view the affected page, giving the attacker the same access rights as those users. The likely attack vector is the administrative panel of the plugin, and the condition of a multi‑site WordPress environment with unfiltered_html disabled is required for exploitation.

Generated by OpenCVE AI on April 22, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Football Pool plugin (2.12.5 or newer) which removes the unsanitized input handling.
  • If the plugin cannot be updated immediately, restrict the unfiltered_html capability for administrators in the WordPress network and remove any custom fields that allow raw HTML in the plugin settings.
  • Configure a web application firewall to block script tags or other malicious payloads from being stored in the plugin’s configuration fields.

Generated by OpenCVE AI on April 22, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28575 The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Antoineh
Antoineh football Pool
CPEs cpe:2.3:a:antoineh:football_pool:*:*:*:*:*:wordpress:*:*
Vendors & Products Antoineh
Antoineh football Pool

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Jun 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Antoineh Football Pool
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:13.743Z

Reserved: 2025-06-02T23:14:09.364Z

Link: CVE-2025-5490

cve-icon Vulnrichment

Updated: 2025-06-20T12:38:18.849Z

cve-icon NVD

Status : Modified

Published: 2025-06-19T06:15:19.347

Modified: 2026-04-08T17:20:48.457

Link: CVE-2025-5490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses