PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42647 Beardev CVE debrief

A critical vulnerability was discovered in JoomSport, a WordPress plugin used for sports league results management. The issue, tracked as CVE-2026-42647, is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. This vulnerability allows for Blind SQL Injection and has been rated with a CVSS score of 9.3, indicating a critical severity level.

Vendor
Beardev
Product
JoomSport
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-11
Original CVE updated
2026-06-12
Advisory published
2026-06-11
Advisory updated
2026-06-12

Who should care

Administrators and users of the JoomSport plugin, particularly those using versions up to 5.7.7, should be aware of this vulnerability and take immediate action to mitigate the risk.

Technical summary

The CVE-2026-42647 vulnerability affects JoomSport from its inception through version 5.7.7. The vulnerability is characterized by its ability to allow Blind SQL Injection due to improper neutralization of special elements used in SQL commands. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L.

Defensive priority

High

Recommended defensive actions

  • Update JoomSport to a version that is not vulnerable.
  • Refer to [ref-4](https://patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerability?_s_id=cve) for mitigation or vendor

Evidence notes

The CVE-2026-42647 vulnerability was officially recorded on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-42647). Detailed information can also be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-42647).

Official resources

CVE-2026-42647 was published on 2026-06-11T22:16:56.447Z and modified on 2026-06-12T13:13:53.050Z.