CVE Catalog

CVE-2026-12133

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

The JoomSport plugin for WordPress up to version 5.7.8 contains a missing authorization vulnerability in the joomsport_season_groupdel() AJAX handler. It allows authenticated attackers with Subscriber-level access or higher to delete arbitrary JoomSport groups without proper capability checks.

Risk Assessment

The organization is at risk of unauthorized deletion of sports group data, potentially leading to data integrity loss and disruption of leagues, teams, or other structures managed by the plugin.

Recommendation

Immediately update the JoomSport plugin to the latest available version that includes a fix for this vulnerability. If no update is available, temporarily disable the plugin or restrict AJAX function access for unauthorized users.

Original NVD description (English source)

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS