WordPress Plugin Vulnerabilities

JoomSport < 5.2.6 - Admin+ SQLi

Description

The plugin does not properly escape the orderby parameter before using it in multiple SQL statement, which could allow high privilege users to perform SQL injection

Affects Plugins

Plugin icon
joomsport-sports-league-results-management
Fixed in 5.2.6

References

CVE
CVE-2022-2717
CVE
CVE-2022-2718

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Salim al-wahaibi
Verified
Yes
WPVDB ID
ad7891c4-2062-4594-9af6-2ceb16c13141

Timeline

Publicly Published
2022-08-08 (about 3 years ago)
Added
2022-08-09 (about 3 years ago)
Last Updated
2023-05-07 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
WordPress <= 1.5.1.1 - "add new admin" SQL Injection
Published
2025-03-04
Title
Ultimate Member < 2.10.1 - Unauthenticated SQLi
Published
2018-11-09
Title
Buddyforms < 2.2.8 - SQL Injection
Published
2014-12-03
Title
Google Document Embedder <= 2.5.16 - SQL Injection
Published
2022-10-17
Title
WP < 6.0.3 - SQLi in WP_Date_Query