JoomSport – For Sports: Team & League, Football, Hockey & More Plugin <= 5.7.7 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/joomsport--for-sports-team--league-football-hockey--more-plugin--5.7.7/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 15:51:02 +0000JoomSport WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-6929)https://feed.craftedsignal.io/briefs/2026-05-joomsport-sqli/Wed, 13 May 2026 15:51:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-joomsport-sqli/The JoomSport plugin for WordPress is vulnerable to time-based blind SQL Injection (CVE-2026-6929) via the 'sortf' parameter in versions up to 5.7.7, allowing unauthenticated attackers to extract sensitive information from the database.The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is susceptible to a time-based blind SQL Injection vulnerability. This flaw, identified as CVE-2026-6929, affects all versions up to and including 5.7.7. The vulnerability exists due to insufficient input sanitization of the ‘sortf’ parameter and inadequate preparation of the SQL query. This allows unauthenticated attackers to inject malicious SQL code into existing queries, potentially leading to the extraction of sensitive database information. Successful exploitation could compromise the integrity and confidentiality of the WordPress site’s data.

Attack Chain

  1. An unauthenticated attacker sends a malicious HTTP request to the WordPress site.
  2. The request targets an endpoint that utilizes the JoomSport plugin.
  3. The attacker crafts the request to include a ‘sortf’ parameter containing a time-based blind SQL injection payload.
  4. The JoomSport plugin processes the request without properly sanitizing the ‘sortf’ parameter.
  5. The unsanitized input is incorporated into an SQL query executed against the WordPress database.
  6. The injected SQL code leverages time-based delays to infer information about the database structure and content.
  7. The attacker analyzes the response times to determine the results of the injected SQL queries.
  8. Through repeated requests, the attacker extracts sensitive information, such as usernames, passwords, or other confidential data stored in the database.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive data from the WordPress database. This could include usernames, passwords, email addresses, and other confidential information. The impact ranges from data breaches and compromised user accounts to potential defacement of the website and further malicious activities. If the database contains sensitive financial data, the consequences could be even more severe.

Recommendation

  • Upgrade the JoomSport – for Sports: Team & League, Football, Hockey & more plugin to the latest version to patch CVE-2026-6929.
  • Deploy the Sigma rule “Detect CVE-2026-6929 Exploitation Attempt via JoomSport SQL Injection” to your SIEM to identify potential exploitation attempts.
  • Monitor web server logs for suspicious requests containing SQL injection payloads in the ‘sortf’ parameter to identify and block malicious activity.
]]>highthreatsqliwordpresscve-2026-6929joomsportinjection