CVE-2025-7721
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform Local File Inclusion (LFI) in the JoomSport WordPress plugin, enabling them to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and access control bypass. All WordPress sites using JoomSport plugin versions up to 5.7.3 are affected.
💻 Affected Systems
- JoomSport – for Sports: Team & League, Football, Hockey & more WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, leading to data exfiltration, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthenticated attackers execute arbitrary PHP code to deface websites, steal sensitive data, or install cryptocurrency miners.
If Mitigated
Attackers can still probe for vulnerable systems but cannot execute code due to proper file upload restrictions and server hardening.
🎯 Exploit Status
Exploitation is straightforward via crafted HTTP requests to the vulnerable task parameter. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3371353/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find JoomSport plugin and update to version 5.7.4 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the JoomSport plugin until patched
wp plugin deactivate joomsport-sports-league-results-management
Web Application Firewall rule
allBlock requests containing malicious task parameter patterns
Add WAF rule: Block if request_uri contains 'task=' and matches LFI patterns
🧯 If You Can't Patch
- Implement strict file upload restrictions to prevent PHP file uploads
- Use web application firewall with LFI protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → JoomSport version. If version ≤5.7.3, system is vulnerable.Check Version:
wp plugin get joomsport-sports-league-results-management --field=versionVerify Fix Applied:
Confirm JoomSport plugin version is 5.7.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with task parameter containing file paths (e.g., task=../../../etc/passwd)
- Multiple failed LFI attempts in web server logs
Network Indicators:
- Unusual outbound connections from web server after LFI exploitation
- HTTP requests with task parameter and PHP file extensions
SIEM Query:
source="web_logs" AND (uri="*task=*" AND (uri="*../*" OR uri="*.php*"))🔗 References
- https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/sportleague/base/wordpress/classes/class-jsport-controller.php#L74
- https://plugins.trac.wordpress.org/changeset/3371353/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4f3900c7-2acb-4031-9854-b0b13e172e1f?source=cve
