CVE-2026-6929: SQL Injection in JoomSport WordPress Plugin
Platform
wordpress
Component
joomsport-sports-league-results-management
Fixed in
5.7.8
CVE-2026-6929 describes a time-based blind SQL Injection vulnerability discovered in the JoomSport plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive data from the underlying database. The vulnerability impacts versions 0.0.0 through 5.7.7 of the plugin, and a patch is available in version 5.7.8.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-6929 could allow an attacker to bypass authentication and directly query the database. This could result in the exposure of sensitive user data, including usernames, passwords (if stored in the database), email addresses, and potentially other application-specific data. The attacker could also potentially modify or delete data within the database, leading to data integrity issues and service disruption. Given the widespread use of WordPress and plugins like JoomSport, the potential blast radius of this vulnerability is significant, particularly for sites that handle sensitive user information.
Exploitation Context
CVE-2026-6929 was published on May 13, 2026. The vulnerability's exploitation context is currently unknown, and no public proof-of-concept (POC) exploits have been widely reported. Its severity is rated HIGH (CVSS 7.5), indicating a significant potential for exploitation. It is not currently listed on CISA KEV or EPSS, suggesting a low to medium probability of active exploitation at this time, but diligent monitoring is advised.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-6929 is to immediately upgrade the JoomSport plugin to version 5.7.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL injection patterns in the 'sortf' parameter. Specifically, look for unusual characters or SQL keywords within this parameter. Additionally, review and harden the WordPress installation itself, ensuring all other plugins and themes are up-to-date and following security best practices. After upgrading, confirm the fix by attempting to access the vulnerable endpoint (e.g., a team or league listing) and verifying that the 'sortf' parameter no longer allows SQL injection.
How to fix
Update to version 5.7.8, or a newer patched version
Frequently asked questions
What is CVE-2026-6929 — SQL Injection in JoomSport WordPress Plugin?
CVE-2026-6929 is a HIGH severity SQL Injection vulnerability affecting the JoomSport WordPress plugin, allowing attackers to extract data from the database through the 'sortf' parameter. It impacts versions 0.0.0 through 5.7.7.
Am I affected by CVE-2026-6929 in JoomSport WordPress Plugin?
You are affected if your WordPress site uses the JoomSport plugin and is running version 5.7.7 or earlier. Check your plugin version using wp plugin list.
How do I fix CVE-2026-6929 in JoomSport WordPress Plugin?
Upgrade the JoomSport plugin to version 5.7.8 or later. If immediate upgrade is not possible, implement a WAF rule to filter suspicious 'sortf' parameter requests.
Is CVE-2026-6929 being actively exploited?
Currently, there are no widely reported active exploitation campaigns for CVE-2026-6929, but its HIGH severity warrants ongoing monitoring.
Where can I find the official JoomSport advisory for CVE-2026-6929?
Refer to the JoomSport website and WordPress plugin repository for the official advisory and update information: [https://joomsport.com/](https://joomsport.com/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...