🔐 CVE Alert

CVE-2026-12134

MEDIUM 4.3

JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Creation/Modification via season_groupedit AJAX action

CVSS Score
4.3
EPSS Score
0.4%
EPSS Percentile
32th

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.

CWE CWE-862
Vendor beardev
Product joomsport – for sports: team & league, football, hockey & more
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for beardev joomsport – for sports: team & league, football, hockey & more

Be the first to know when new medium vulnerabilities affecting beardev joomsport – for sports: team & league, football, hockey & more are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

beardev / JoomSport – for Sports: Team & League, Football, Hockey & more
0 ≤ 5.7.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a00997d4-f242-4d49-8542-0738efa66222?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L230 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L230 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L22 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L22 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/joomsport-shortcodes.php#L473 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/joomsport-shortcodes.php#L473 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=

Credits

Chloe Chamberland PRISM