CVE-2026-12133 Overview
CVE-2026-12133 is a missing authorization vulnerability [CWE-862] affecting the JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress. The flaw exists in versions up to and including 5.7.8. The joomsport_season_groupdel() AJAX handler verifies a nonce but omits a capability check before executing a DELETE query on attacker-supplied group IDs. Authenticated attackers with Subscriber-level access or above can delete arbitrary JoomSport group records. The issue affects data integrity for site owners running sports league content managed by the plugin.
Critical Impact
Any authenticated user at Subscriber level or higher can delete arbitrary JoomSport group records, causing loss of league and team data managed by the plugin.
Affected Products
- JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress
- All versions up to and including 5.7.8
- WordPress installations exposing the plugin's AJAX endpoints to authenticated users
Discovery Timeline
- 2026-07-01 - CVE-2026-12133 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-12133
Vulnerability Analysis
The vulnerability resides in the joomsport_season_groupdel() AJAX handler shipped with the JoomSport WordPress plugin. The handler is registered as an AJAX action available to authenticated users. It performs a nonce verification step to confirm the request originated from a WordPress-generated form. It does not perform any capability check such as current_user_can() before executing a database DELETE statement.
Because nonces in WordPress are user-scoped tokens accessible to any authenticated session, the nonce check alone does not restrict which role may invoke the action. Attackers with Subscriber-level access, which is the lowest authenticated role and is often granted through open registration, can retrieve a valid nonce and issue the delete request. The handler then removes JoomSport group records identified by attacker-controlled IDs.
Root Cause
The root cause is a missing authorization control [CWE-862]. The developer relied on nonce validation as the sole gatekeeper for a state-changing operation. Nonces protect against Cross-Site Request Forgery but do not enforce role-based access control. The AJAX handler should verify that the requester holds an administrative capability such as manage_options or a plugin-specific role before deleting group records.
Attack Vector
An attacker registers or authenticates as a Subscriber on a target WordPress site running a vulnerable JoomSport version. The attacker loads a page that exposes a valid nonce for the AJAX action, then submits a crafted POST request to admin-ajax.php with the joomsport_season_groupdel action and a target group ID. The plugin executes the DELETE query without validating the caller's role, removing the specified group from the database. Repeated requests can enumerate and delete all JoomSport groups on the site.
The vulnerability manifests directly in the AJAX handler logic. Refer to the WordPress JoomSport Post Season Code and the Wordfence Vulnerability Report for the exact source lines.
Detection Methods for CVE-2026-12133
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with the action=joomsport_season_groupdel parameter originating from low-privileged user sessions
- Unexpected disappearance of JoomSport group records, seasons, or league standings without administrator activity in the audit log
- Elevated request volume to admin-ajax.php from newly registered Subscriber accounts
- WordPress database DELETE queries against JoomSport group tables outside scheduled administrative windows
Detection Strategies
- Monitor web server access logs for admin-ajax.php requests carrying the joomsport_season_groupdel action and correlate the requesting user role
- Alert on any authenticated Subscriber account triggering state-changing plugin AJAX actions
- Compare snapshots of JoomSport group tables to detect unauthorized row removal
Monitoring Recommendations
- Enable WordPress audit logging to record plugin AJAX invocations and associated user IDs
- Track new Subscriber registrations followed by AJAX activity within a short time window
- Forward WordPress and web server logs to a centralized platform for correlation and retention
How to Mitigate CVE-2026-12133
Immediate Actions Required
- Update the JoomSport plugin to a version newer than 5.7.8 once the vendor releases a patched build referenced in the WordPress JoomSport Changeset
- Disable open user registration or restrict the default role to reduce the population of accounts able to invoke authenticated AJAX actions
- Review JoomSport group tables and restore any records deleted by unauthorized users from backups
Patch Information
The vendor changeset addressing the missing capability check is tracked at the WordPress JoomSport Changeset. Site administrators should upgrade to the fixed release identified in the Wordfence Vulnerability Report.
Workarounds
- Block requests to admin-ajax.php carrying the action=joomsport_season_groupdel parameter at the Web Application Firewall until the patch is applied
- Temporarily deactivate the JoomSport plugin on sites that allow public registration
- Restrict Subscriber-level accounts and audit existing low-privileged users for suspicious activity
# Example ModSecurity rule to block the vulnerable AJAX action pending patch
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:2026012133,\
msg:'Block CVE-2026-12133 JoomSport arbitrary group deletion'"
SecRule ARGS:action "@streq joomsport_season_groupdel"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

