Salim Al-Wahaibi

**Name of the Vulnerable Software and Affected Versions** JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress versions up to, and including, 5.2.5 **Description** The issue is related to SQL Injection via the `orderby` parameter on the "joomsport-events-form" page. This vulnerability is caused by insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. As a result, authenticated attackers with administrative privileges can append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 5.2.5, consider disabling the `orderby` parameter on the "joomsport-events-form" page as a temporary workaround until a patch is available. Restrict access to the "joomsport-events-form" page to minimize the risk of exploitation. Avoid using the `orderby` parameter in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress versions up to, and including, 5.2.5 **Description** The issue allows authenticated attackers with administrative privileges to perform SQL Injection via the `orderby` parameter on the "joomsport-page-extrafields" page. This is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, making it possible to extract sensitive information from the database. **Recommendations** For versions up to, and including, 5.2.5, consider disabling access to the "joomsport-page-extrafields" page or restricting the use of the `orderby` parameter until a patch is available. As a temporary workaround, restrict administrative privileges to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.