Live Scores for SportsPress < 1.9.1 – Authenticated Local File Inclusion

Description

The plugin does not validate or sanitise the tab parameter in the admin dashboard before using it in an include statement, leading to an Authenticated Local File Inclusion

Proof of Concept

https://example.com/wp-admin/admin.php?page=live-scores-for-sportspress&tab=../../index

This will include the homepage of the blog in the dashboard

Affects Plugins

live-scores-for-sportspress

Fixed in 1.9.1

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

50c3f5ab-bbda-4bda-81c8-16dcbf4d6600

Timeline

Publicly Published

2021-08-24 (about 4 years ago)

Added

2021-08-24 (about 4 years ago)

Last Updated

2021-08-24 (about 4 years ago)

Other

Published

Title

Published

2023-03-06

Title

WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion

Published

2026-03-20

Title

Spam Protect for Contact Form 7 < 1.2.10 - Authenticated (Editor+) Arbitrary File Deletion

Published

2025-06-26

Title

Frontend Admin by DynamiApps < 3.28.8 - Authenticated (Editor+) Arbitrary File Deletion

Published

2025-07-21

Title

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) < 3.2.9 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion

Published

2025-06-19

Title

HUSKY < 1.3.7.1 - Contributor+ Local File Inclusion