CVE-2026-12134
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk32th percentile — higher than 32% of all known CVEs
Summary
The JoomSport plugin for WordPress up to version 5.7.8 contains an authorization bypass vulnerability. It allows authenticated attackers with subscriber-level access or higher to create arbitrary season groups and modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages rendering a JoomSport shortcode.
Risk Assessment
The organization is at risk of unauthorized modifications to season group data and participants, potentially disrupting league and tournament operations and compromising the integrity of sports information.
Recommendation
Immediately update the JoomSport plugin to the latest available version that fixes this vulnerability. Additionally, consider restricting access to pages with JoomSport shortcodes for untrusted users.
Original NVD description (English source)
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.

