CVE-2026-12134
JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Creation/Modification via season_groupedit AJAX action
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.
| CWE | CWE-862 |
| Vendor | beardev |
| Product | joomsport – for sports: team & league, football, hockey & more |
| Published | Jul 2, 2026 |
| Last Updated | Jul 2, 2026 |
Get instant alerts for beardev joomsport – for sports: team & league, football, hockey & more
Be the first to know when new medium vulnerabilities affecting beardev joomsport – for sports: team & league, football, hockey & more are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N