CVE-2021-24384

Name of the Vulnerable Software and Affected Versions JoomSport WordPress plugin versions prior to 5.1.8

Description The issue arises from the joomsport md load AJAX action in the JoomSport WordPress plugin, which unserializes user input from the shattr POST parameter. This leads to a PHP Object Injection issue. Although the plugin itself does not have a suitable gadget chain to exploit this, the presence of other installed plugins could potentially lead to more severe issues, such as Remote Code Execution (RCE).

Recommendations For versions prior to 5.1.8, update to version 5.1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the joomsport md load AJAX action until a patch is available. Avoid using the shattr parameter in the affected AJAX endpoint until the issue is resolved.