CVE-2026-12133
Received Received - Intake

Missing Authorization to Arbitrary Group Deletion in JoomSport WordPress Plugin

Vulnerability report for CVE-2026-12133, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
joomsport joomsport to 5.7.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the JoomSport plugin for WordPress, specifically in versions up to and including 5.7.8. It is caused by a missing authorization check in the joomsport_season_groupdel() AJAX handler. Although the handler verifies a nonce, it does not check user capabilities properly before executing a DELETE query on group IDs supplied by an attacker.

This means that any authenticated user with Subscriber-level access or higher can delete arbitrary group records within JoomSport without proper permission.

Impact Analysis

This vulnerability allows authenticated users with low-level access (Subscriber or above) to delete arbitrary group records in the JoomSport plugin. This can lead to unauthorized data modification and potential disruption of sports team and league data managed by the plugin.

While it does not allow data disclosure or system takeover, the integrity of the data is compromised, which could affect the reliability and availability of the sports information on the affected WordPress site.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized deletion requests targeting JoomSport group records via the joomsport_season_groupdel() AJAX handler.

Since the vulnerability allows authenticated users with Subscriber-level access and above to delete arbitrary groups by exploiting missing authorization checks, you can look for suspicious HTTP DELETE requests or AJAX calls to the endpoint handling group deletions.

Commands to detect such activity might include inspecting web server logs for unusual POST or AJAX requests to the joomsport_season_groupdel() handler, for example using grep:

  • grep -i 'joomsport_season_groupdel' /var/log/apache2/access.log
  • grep -i 'groupdel' /var/log/nginx/access.log

Additionally, monitoring WordPress user activity logs for unexpected group deletions or changes by low-privilege users can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the JoomSport plugin to a version later than 5.7.8 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the affected AJAX handler by limiting permissions or disabling the plugin temporarily.

Additionally, review and tighten user roles and capabilities to ensure that only trusted users have access to group deletion functionality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart