CVE-2026-12133
JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Deletion via season_groupdel AJAX action
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.
| CWE | CWE-862 |
| Vendor | beardev |
| Product | joomsport – for sports: team & league, football, hockey & more |
| Published | Jul 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for beardev joomsport – for sports: team & league, football, hockey & more
Be the first to know when new medium vulnerabilities affecting beardev joomsport – for sports: team & league, football, hockey & more are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
beardev / JoomSport – for Sports: Team & League, Football, Hockey & more
0 ≤ 5.7.8
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/03122c29-4ca5-426a-8240-74ce96dd21f2?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L296 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L296 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L25 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L25 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/joomsport-shortcodes.php#L473 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/joomsport-shortcodes.php#L473 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=
Credits
Chloe Chamberland PRISM