CVE-2019-14348
published 2019-08-05CVE-2019-14348: The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.09%
97.3th percentile
The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beardev | joomsport | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to paths matching the pattern /joomsport_season/*/ with the `action=playerlist` query parameter — the vulnerable `sid` POST body parameter is the injection point. ↗
- →Alert on boolean-based blind SQLi patterns in the `sid` POST parameter, e.g. negative integer values followed by OR boolean tautologies (e.g. `OR 7339=7339`). ↗
- →Use the Google dork `intext:powered by JoomSport - sport WordPress plugin` to identify exposed vulnerable instances. ↗
- ·The example path `/wordpress/joomsport_season/new-yorkers/` uses a sample slug ('new-yorkers'); the actual slug will vary per installation — detection rules should wildcard the season/team slug segment. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.htmlhttps://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/https://wpvulndb.com/vulnerabilities/9499http://packetstormsecurity.com/files/153963/WordPress-JoomSport-3.3-SQL-Injection.htmlhttps://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/https://wpvulndb.com/vulnerabilities/9499
2019-08-05
Published