Local File Inclusion Vulnerability in JoomSport Plugin for WordPress
CVE-2025-7721

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Joomsport – For Sports: Team & League, Football, Hockey & More
Vendor: CVE Published:; 3 October 2025

What is CVE-2025-7721?

The JoomSport plugin for WordPress is susceptible to a Local File Inclusion vulnerability in all versions up to and including 5.7.3. This flaw arises from improper validation of the 'task' parameter, enabling unauthorized attackers to access and execute arbitrary .php files on the server. Such exploitation can lead to significant security issues, including the bypass of access controls, unauthorized data access, and the ability to execute arbitrary PHP code, compromising the integrity of the WordPress installation.

Affected Version(s)

JoomSport – for Sports: Team & League, Football, Hockey & more * <= 5.7.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/joomsport-spor...

https://plugins.trac.wordpress.org/changeset/3371353/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2025
Vulnerability Reserved
Jul 16, 2025

Credit

Michael Mazzolini

JSON