The Sports Club Management plugin accepts arbitrary input through its 'before' and 'after' shortcode attributes. When a user with Contributor or higher authority supplies unsanitized content, the strings are stored and later rendered directly into the page. This allows the attacker to inject malicious JavaScript that executes in the browser context of any visitor who views the affected page, potentially exposing session data or performing other malicious actions. The vulnerability aligns with CWE‑79: Improper Neutralization of Input During Web Page Generation.

The flaw is present in all releases of the Sports Club Management WordPress plugin up to and including version 1.12.9. The affected product is the plugin developed by pstruik, distributed through the WordPress plugin repository. End‑users running these versions on any WordPress installation are at risk.

The static CVSS score is 6.4, indicating medium severity, while no EPSS data is available and this vulnerability is not cataloged in CISA’s KEV list. The required privilege level is Contributor or higher, which is typically granted to authenticated users who need to edit content. Once the malicious script is embedded, any visitor to the page will execute it, turning the vulnerability into a broad cross‑site scripting vector. Exploit is straightforward for an attacker with the necessary role; the attacker must simply add content to a page or post using the shortcode. The impact is confined to the affected WordPress site and its users, but can lead to cookie theft, session hijack, defacement, or further compromise.