CVE-2019-14348

CRITICAL

BearDev JoomSport <3.3 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-14348. PoCs published by Pablo Santiago.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in JoomSport 3.3 via the 'sid' POST parameter. The payload provided is a boolean-based blind SQLi example, allowing an attacker to extract or manipulate database information.

Description

The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.

Exploits (1)

exploitdb WORKING POC
by Pablo Santiago · textwebappsphp
https://www.exploit-db.com/exploits/47210

This exploit demonstrates a SQL injection vulnerability in JoomSport 3.3 via the 'sid' POST parameter. The payload provided is a boolean-based blind SQLi example, allowing an attacker to extract or manipulate database information.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: JoomSport for Sports WordPress plugin 3.3
No auth needed
Prerequisites: Access to the vulnerable endpoint · Ability to send crafted POST requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9499
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.html

Scores

CVSS v3 9.8
EPSS 0.2109
EPSS Percentile 97.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
beardev/joomsport 3.3
Published Aug 05, 2019
Tracked Since Feb 18, 2026