CVE-2025-15368

Name of the Vulnerable Software and Affected Versions SportsPress plugin for WordPress versions through 2.7.26

Description The SportsPress plugin for WordPress is susceptible to Local File Inclusion via the 'template name' attribute within shortcodes. This allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server. Successful exploitation could lead to bypassing access controls, obtaining sensitive data, or achieving code execution if PHP files can be uploaded and included. The vulnerable parameter is template name.

Recommendations Versions prior to 2.7.27 are affected. Update to a version later than 2.7.26.