CVE-2026-13010 in JoomSport Plugin
Summary
by MITRE • 07/10/2026
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The shortcode can be embedded in posts or pages by Contributor-level users, making this exploitable by any authenticated user with at least that role.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability identified in the JoomSport WordPress plugin represents a critical time-based sql injection flaw that affects versions through 5.7.9. This security weakness resides within the event shortcode attribute handling mechanism where insufficient input sanitization permits malicious parameter manipulation. The vulnerability operates through a classic sql injection vector where attacker-controlled data is directly incorporated into sql query construction without proper escaping or parameterization. The flaw specifically manifests when the event shortcode attribute receives user-supplied input that bypasses existing validation mechanisms, allowing for arbitrary sql command injection. Attackers can leverage this weakness by crafting malicious input that exploits the time-based timing attack methodology to extract database information through response delay variations.
The technical exploitation of this vulnerability requires an authenticated attacker possessing contributor-level privileges or higher, which significantly broadens the threat surface since contributor accounts are commonly available in wordpress environments. The attacker can embed malicious shortcodes within posts or pages, making the attack vector highly accessible and potentially difficult to detect within standard content management workflows. This vulnerability directly maps to cwes 89 and 916, representing sql injection and improper neutralization of special elements used in sql commands respectively. The weakness enables authenticated attackers to execute additional sql queries that can extract sensitive data including user credentials, configuration details, and other database contents through the time-based timing mechanism that measures query execution delays.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable full database compromise and system takeover scenarios. Attackers can utilize the injected sql commands to enumerate database schemas, extract user accounts with their hashed passwords, access administrative configurations, and potentially escalate privileges within the wordpress environment. The time-based nature of the injection allows for stealthy data exfiltration that may not immediately trigger standard intrusion detection systems, as the timing characteristics of legitimate queries are mimicked. This vulnerability particularly affects wordpress environments where multiple users with contributor roles exist, making it a significant concern for sites with collaborative content management features.
Mitigation strategies should prioritize immediate patching to version 5.7.10 or later where the sql injection vulnerability has been addressed through proper input sanitization and parameterized query construction. Administrators should implement role-based access controls to minimize contributor privileges where possible, though this may not be feasible in collaborative environments. Security monitoring should include detection of unusual shortcode usage patterns and potential sql injection attempts within content management systems. The implementation of web application firewalls with sql injection detection capabilities provides additional protection layers. Organizations should also conduct regular security audits of wordpress plugins and ensure all third-party components are kept current with security patches to prevent similar vulnerabilities from being exploited in their environments.