Introduction
Unauthenticated attackers can execute arbitrary PHP code on WordPress sites running vulnerable versions of the JoomSport plugin. This flaw puts site integrity, sensitive data, and server control at risk for any organization using this plugin for sports league management.
JoomSport is a specialized WordPress plugin developed by BearDev, designed for managing sports leagues, teams, and related activities. While not as widely deployed as mainstream plugins, it serves a niche but active community of sports organizations and clubs. BearDev has a history of multiple security issues in this product, making its vulnerabilities particularly relevant for WordPress administrators in the sports sector.
Technical Information
CVE-2025-7721 is a Local File Inclusion (LFI) vulnerability present in all versions of the JoomSport plugin up to and including 5.7.3. The vulnerability is located in the class-jsport-controller.php
file at line 74, where the plugin processes the task
parameter from user input. The plugin fails to properly validate or sanitize this parameter, allowing attackers to manipulate it to include arbitrary PHP files from the server's filesystem.
When an attacker crafts an HTTP request with the task
parameter set to a malicious value (such as a path to a sensitive or attacker-controlled PHP file), the plugin includes and executes that file. This can result in remote code execution, bypass of access controls, and exposure of sensitive data. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).
The root cause is the direct use of user-supplied input in file inclusion operations without sufficient validation. This allows for directory traversal and the inclusion of unintended files, including those uploaded by attackers or present elsewhere on the server.
Patch Information
To address the Local File Inclusion (LFI) vulnerability in the JoomSport plugin (versions up to and including 5.7.3), the developers have released version 5.7.4, which implements stricter validation and sanitization of the task
parameter. This update ensures that only authorized and expected files are included, effectively mitigating the risk of unauthorized code execution.
In the vulnerable versions, the task
parameter was insufficiently validated, allowing attackers to manipulate it to include arbitrary PHP files. The patch introduces a whitelist of permissible tasks and employs functions like basename()
to sanitize input, preventing directory traversal attacks.
For example, the updated code includes a function that checks the task
parameter against a predefined list of allowed tasks:
$allowed_tasks = array('view', 'edit', 'delete'); $task = isset($_GET['task']) ? $_GET['task'] : ''; if (in_array($task, $allowed_tasks)) { // Proceed with the task } else { // Handle unauthorized task }
By updating to version 5.7.4, users can protect their WordPress sites from potential exploits targeting this vulnerability.
Patch source: https://cvetodo.com/cve/CVE-2025-7721
Affected Systems and Versions
- JoomSport – for Sports: Team & League, Football, Hockey & more WordPress plugin
- All versions up to and including 5.7.3 are affected
- Vulnerability is present regardless of configuration due to unauthenticated access to the
task
parameter
Vendor Security History
BearDev, the developer of JoomSport, has a documented history of security issues in this plugin. Previous vulnerabilities include SQL injection, broken access control, and cross-site scripting, as recorded in Patchstack and other vulnerability databases. The vendor typically issues patches after disclosure, but the recurrence of critical flaws indicates persistent challenges with secure development practices. The plugin was closed by WordPress.org in September 2025 for a full security review, highlighting ongoing concerns about its security posture.