CVE Catalog

CVE-2026-12134

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

The JoomSport plugin for WordPress up to version 5.7.8 contains an authorization bypass vulnerability. It allows authenticated attackers with subscriber-level access or higher to create arbitrary season groups and modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages rendering a JoomSport shortcode.

Risk Assessment

The organization is at risk of unauthorized modifications to season group data and participants, potentially disrupting league and tournament operations and compromising the integrity of sports information.

Recommendation

Immediately update the JoomSport plugin to the latest available version that fixes this vulnerability. Additionally, consider restricting access to pages with JoomSport shortcodes for untrusted users.

Original NVD description (English source)

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS