Description
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-10-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Patch Now
AI Analysis

Impact

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress suffers from a Local File Inclusion flaw in all releases up to 5.7.3, allowing an unauthenticated attacker to supply a crafted request that causes the application to include and execute PHP files from the server. This vulnerability aligns with CWE-98 and provides the attacker with the ability to execute arbitrary PHP code, bypass authentication, exfiltrate data, or compromise the entire WordPress installation.

Affected Systems

Any WordPress site using the JoomSport plugin version 5.7.3 or earlier is affected. The flaw resides in the plugin’s controller code that processes the `task` parameter without proper validation, enabling inclusion of local server files when the vulnerable command is called.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical. The EPSS score is less than 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the attack does not require authentication and can execute arbitrary code, the potential impact remains severe. An attacker can construct a request containing the vulnerable `task` parameter and point it at any readable PHP file, causing that code to run under the web server’s privileges.

Generated by OpenCVE AI on April 21, 2026 at 02:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JoomSport plugin to any version newer than 5.7.3, which removes the vulnerable task handling logic.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the JoomSport plugin to eliminate the attack surface.
  • Configure WordPress file permissions to disallow execution of PHP files in directories where user‑uploaded or plugin files reside, and ensure the `allow_url_include` setting is disabled.

Generated by OpenCVE AI on April 21, 2026 at 02:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32275 The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Beardev
Beardev joomsport
Wordpress
Wordpress wordpress
Vendors & Products Beardev
Beardev joomsport
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title JoomSport <= 5.7.3 - Unauthenticated Directory Traversal to Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Beardev Joomsport
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:58.867Z

Reserved: 2025-07-16T16:45:22.676Z

Link: CVE-2025-7721

cve-icon Vulnrichment

Updated: 2025-10-03T18:09:30.416Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:44.640

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses