CVE-2026-42647

CRITICAL EXPLOITED NUCLEI LAB

WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability

Title source: cna

Exploitation Summary

CVE-2026-42647 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including rootdirective-sec. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a timing-based scanner for CVE-2026-42647, a JoomSport SQL injection vulnerability. It measures response times to detect potential vulnerability but does not exploit it for data extraction or modification.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.

Exploits (1)

github SCANNER

by rootdirective-sec · pythonpoc

https://github.com/rootdirective-sec/CVE-2026-42647-Lab

View Code ZIP pw:eip

This repository contains a timing-based scanner for CVE-2026-42647, a JoomSport SQL injection vulnerability. It measures response times to detect potential vulnerability but does not exploit it for data extraction or modification.

Classification

Scanner 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: JoomSport Sports League Results Management (WordPress plugin)

No auth needed

Prerequisites: Docker environment with vulnerable JoomSport plugin · WordPress installation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 13, 2026 Full analysis →

Nuclei Templates (1)

JoomSport <= 5.7.7 - SQL Injection

CRITICALVERIFIEDby theamanrawat

References (1)

Core 1

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0518

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:cli-2.11.0-php8.2

docker pull wordpress:6.6.2-php8.2-apache

https://github.com/rootdirective-sec/CVE-2026-42647-Lab

View in Library

Details

VulnCheck KEV 2026-04-29

CWE

CWE-89

Status published

Products (1)

Beardev/JoomSport < 5.7.7

Published Jun 11, 2026

Tracked Since Jun 12, 2026