PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13010 beardev CVE debrief

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9. This vulnerability allows authenticated attackers, with contributor-level access and above, to append additional SQL queries into existing queries, potentially leading to sensitive information disclosure.

Vendor
beardev
Product
JoomSport – for Sports: Team & League, Football, Hockey & more
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of WordPress sites utilizing the JoomSport plugin, especially those with contributor-level access or higher, should be aware of this vulnerability and take necessary actions to mitigate the risk.

Technical summary

The JoomSport plugin for WordPress is susceptible to a time-based SQL Injection attack through the 'event' Shortcode Attribute. This vulnerability exists due to insufficient escaping of user-supplied parameters and a lack of adequate preparation of existing SQL queries. An attacker with at least contributor-level access can exploit this vulnerability by embedding the shortcode in posts or pages, allowing them to execute additional SQL queries and potentially extract sensitive information from the database.

Defensive priority

Medium priority should be given to updating the JoomSport plugin to a version beyond 5.7.9, implementing additional monitoring for suspicious database queries, and ensuring that only authorized personnel have contributor-level access or higher.

Recommended defensive actions

  • Update the JoomSport plugin to the latest version available.
  • Implement additional monitoring for suspicious database queries.
  • Restrict contributor-level access and above to only trusted users.
  • Regularly review and update access controls for WordPress sites.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-10T10:16:23.020Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Multiple references are provided, including links to the vulnerable code and details from Wordfence.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:23.020Z and has not been modified since then. The NVD entry is currently in the 'Received' status.