Skip to main content
CVE Vulnerability Database

CVE-2026-6929: JoomSport WordPress Plugin SQLi Vulnerability

CVE-2026-6929 is a time-based blind SQL injection flaw in JoomSport WordPress plugin that allows unauthenticated attackers to extract sensitive database information. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6929 Overview

CVE-2026-6929 is a time-based blind SQL Injection vulnerability in the JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress. The flaw affects all versions up to and including 5.7.7. It exists in the sortf parameter due to insufficient escaping of user-supplied input and a lack of proper preparation on the underlying SQL query. Unauthenticated attackers can append additional SQL queries to existing database operations. Successful exploitation allows extraction of sensitive information from the WordPress database, including credentials, session data, and configuration details. The vulnerability is categorized under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Unauthenticated remote attackers can extract sensitive data from the WordPress database through blind SQL injection without any user interaction.

Affected Products

  • JoomSport – for Sports: Team & League, Football, Hockey & more (WordPress Plugin)
  • All versions up to and including 5.7.7
  • Vulnerable source files: class-jsport-getplayers.php and class-jsport-playerlist.php

Discovery Timeline

  • 2026-05-13 - CVE-2026-6929 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-6929

Vulnerability Analysis

The vulnerability resides in the JoomSport plugin's player listing functionality. The sortf parameter, which controls sort field selection, flows directly into a SQL query without proper escaping or parameterized statement preparation. Attackers supply this parameter via HTTP requests, and the plugin concatenates the value into the query string sent to the WordPress database.

Because the injection is time-based and blind, attackers infer query results from server response delays. Payloads typically include conditional SLEEP() or BENCHMARK() functions that cause measurable response time differences based on boolean conditions. Repeated requests allow attackers to extract data character by character.

The vulnerable code paths are documented in the WordPress plugin repository for class-jsport-getplayers.php and the class-jsport-playerlist.php class.

Root Cause

The root cause is the absence of input sanitization and prepared statements when handling the sortf parameter. The plugin directly interpolates the user-supplied value into a SQL ORDER BY clause without calling $wpdb->prepare() or escaping functions such as esc_sql(). Because ORDER BY clauses cannot use bound parameters directly in MySQL, developers must validate sort field names against an allow-list — a control absent in vulnerable releases.

Attack Vector

Attackers send unauthenticated HTTP requests to WordPress endpoints that invoke the JoomSport player listing functionality. The malicious sortf parameter contains SQL syntax designed to trigger conditional time delays. No authentication, user interaction, or special privileges are required, making the attack viable against any WordPress site running the affected plugin versions.

The vulnerability mechanism is described in the Wordfence vulnerability advisory. No public proof-of-concept exploit code is currently available.

Detection Methods for CVE-2026-6929

Indicators of Compromise

  • HTTP requests containing SQL keywords such as SLEEP, BENCHMARK, SELECT, UNION, or WAITFOR in the sortf query parameter
  • Unusually slow database response times correlating with requests targeting JoomSport plugin endpoints
  • Repeated requests to the same plugin endpoint from a single source with incrementing parameter values
  • WordPress access logs showing high-frequency requests with encoded SQL payloads in sortf

Detection Strategies

  • Deploy web application firewall (WAF) rules to inspect query parameters for SQL injection signatures targeting the sortf field
  • Monitor database query logs for unusual ORDER BY clauses containing function calls or subqueries
  • Alert on HTTP request patterns exhibiting timing-based extraction behavior, such as sequential requests with similar payload structure

Monitoring Recommendations

  • Enable WordPress query logging or use a plugin such as Query Monitor to capture suspicious database activity
  • Forward web server and database logs to a centralized SIEM for correlation and anomaly identification
  • Track outbound data volumes from the WordPress host to identify potential data exfiltration following exploitation

How to Mitigate CVE-2026-6929

Immediate Actions Required

  • Update the JoomSport plugin to a version newer than 5.7.7 once the vendor releases a patched build
  • Audit WordPress sites for the presence of the JoomSport plugin and inventory affected installations
  • Review database user privileges to ensure the WordPress database account has minimum required permissions
  • Inspect web server access logs for prior exploitation attempts targeting the sortf parameter

Patch Information

The vendor committed remediation changes documented in the WordPress plugin changeset. Administrators should upgrade to the latest plugin release available through the WordPress plugin repository. Verify the installed version after upgrade and confirm the fix is present in the affected source files.

Workarounds

  • Deactivate and remove the JoomSport plugin until a patched version is installed
  • Deploy WAF rules to block requests containing SQL keywords in the sortf parameter
  • Restrict access to WordPress administrative and plugin endpoints by IP address where feasible
  • Apply the principle of least privilege to the WordPress database user to limit data exposure if exploitation succeeds
bash
# Example WAF rule pattern to block SQL injection in sortf parameter
# ModSecurity rule example
SecRule ARGS:sortf "@rx (?i)(sleep|benchmark|union|select|waitfor|delay)" \
    "id:1026929,phase:2,deny,status:403,msg:'CVE-2026-6929 JoomSport SQLi attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.