🔐 CVE Alert

CVE-2026-12133

MEDIUM 4.3

JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Deletion via season_groupdel AJAX action

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.

CWE CWE-862
Vendor beardev
Product joomsport – for sports: team & league, football, hockey & more
Published Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for beardev joomsport – for sports: team & league, football, hockey & more

Be the first to know when new medium vulnerabilities affecting beardev joomsport – for sports: team & league, football, hockey & more are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

beardev / JoomSport – for Sports: Team & League, Football, Hockey & more
0 ≤ 5.7.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/03122c29-4ca5-426a-8240-74ce96dd21f2?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L296 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L296 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L25 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L25 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/joomsport-shortcodes.php#L473 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/joomsport-shortcodes.php#L473 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=

Credits

Chloe Chamberland PRISM