CVE-2019-14348
📋 TL;DR
This vulnerability allows SQL injection attacks in the BearDev JoomSport plugin for WordPress. Attackers can steal, modify, or delete database information via the 'sid' parameter in playerlist requests. WordPress sites using JoomSport plugin version 3.3 are affected.
💻 Affected Systems
- BearDev JoomSport WordPress Plugin
📦 What is this software?
Joomsport by Beardev
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, modification, or deletion; potential for full site takeover via privilege escalation.
Likely Case
Database information theft including user credentials, sensitive content, and configuration data.
If Mitigated
Limited impact with proper input validation and database permissions in place.
🎯 Exploit Status
Exploit requires no authentication and uses simple SQL injection techniques via URL parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.4 or later
Vendor Advisory: https://wordpress.org/plugins/joomsport/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find JoomSport plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.
🔧 Temporary Workarounds
Input Validation WAF Rule
allAdd web application firewall rule to block SQL injection attempts in sid parameter
ModSecurity rule: SecRule ARGS:sid "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt in sid parameter'"
Disable Vulnerable Endpoint
linuxBlock access to the vulnerable playerlist endpoint via .htaccess or nginx config
Apache: RewriteRule ^joomsport_season/new-yorkers/\?action=playerlist.*$ - [F,L]
Nginx: location ~* /joomsport_season/new-yorkers/\?action=playerlist { deny all; }
🧯 If You Can't Patch
- Deactivate JoomSport plugin immediately
- Implement strict database user permissions and enable query logging
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for JoomSport version 3.3Check Version:
wp plugin list --name=joomsport --field=version (if WP-CLI installed)Verify Fix Applied:
Verify JoomSport plugin version is 3.4 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- SQL error messages in web server logs
- Unusual database queries from web application
- Multiple requests to /joomsport_season/new-yorkers/?action=playerlist with SQL-like parameters
Network Indicators:
- HTTP requests containing SQL keywords in sid parameter
- Unusual traffic patterns to vulnerable endpoint
SIEM Query:
source="web_server.log" AND (uri="/joomsport_season/new-yorkers/" AND query="action=playerlist") AND (sid="*UNION*" OR sid="*SELECT*" OR sid="*INSERT*" OR sid="*DELETE*")🔗 References
- http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html
- https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
- https://wpvulndb.com/vulnerabilities/9499
- http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html
- https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
- https://wpvulndb.com/vulnerabilities/9499
