CVE-2026-42647 – Unauthenticated Blind SQL Injection – Beardev JoomSport ≤ 5.7.7

Summary

CVE-2026-42647 is a critical Blind SQL Injection vulnerability in the Beardev JoomSport WordPress plugin (joomsport-sports-league-results-management), affecting all versions through 5.7.7. With a CVSS v3.1 score of 9.3 (Critical), unauthenticated remote attackers can exploit a vulnerable GET parameter to extract arbitrary data from the underlying WordPress database, including user credentials and password hashes. A patch is available in version 5.7.8.

Technical details

• Root cause: The sortf GET parameter, used to control column ordering in the plugin’s player list view, is backtick-wrapped and directly concatenated into an SQL ORDER BY clause without sufficient escaping or input validation. The plugin does not employ a column whitelist or WordPress’s $wpdb->prepare() to sanitize this input.
• Trigger conditions: Any unauthenticated HTTP GET request to the player list endpoint with a crafted sortf value is sufficient to trigger the injection. No account, session, or user interaction of any kind is required.
• Attack vector: Remote, over the network. Attackers submit a time-based blind SQL injection payload (e.g., triggering a conditional SLEEP() delay) via the sortf parameter. The vulnerability is confirmed exploitable via a Nuclei template merged to the projectdiscovery/nuclei-templates main branch on 2026-06-02.
• Impact: Full compromise of database confidentiality. Attackers can extract all data accessible to the WordPress database user, including wp_users credentials (usernames, hashed passwords), email addresses, session tokens, and any other sensitive data stored in the database. The CVSS Scope metric is Changed (S:C), reflecting that the impact extends beyond the plugin itself to the underlying database server. Availability is also partially impacted (A:L) due to the time-delay payloads.

Affected software

• Beardev JoomSport (WordPress plugin slug: joomsport-sports-league-results-management): all versions from initial release through 5.7.7 (inclusive)

Severity

• CVSS v3.1 Base Score: 9.3 (Critical)
• Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Mitigation and recommended actions

• Immediate action — patch now: Update the JoomSport plugin to version 5.7.8 or later. The WordPress.org plugin changelog confirms that version 5.7.8 delivers a security vulnerability fix for this issue, implementing column whitelist validation on the affected sortf parameter.
• If immediate patching is not possible: Restrict public access to the player list endpoint at the web server or WAF layer. Block or sanitize requests containing SQL metacharacters in the sortf GET parameter as a temporary measure until the plugin can be updated.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

• CVE-2026-42647 at NIST
• JoomSport Plugin – WordPress.org (Changelog confirms 5.7.8 security fix)