The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 05:00:00 +0000
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-01T03:43:33.374Z
Reserved: 2026-06-12T15:32:16.073Z
Link: CVE-2026-12133
No data.
No data.
No data.
OpenCVE Enrichment
No data.