cbcvebase.
CVE-2019-14348
published 2019-08-05

CVE-2019-14348: The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.09%
97.3th percentile
The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
beardevjoomsport

Detection & IOCsextracted from sources · hover to see the quote

url/wordpress/joomsport_season/new-yorkers/?action=playerlist
commandsid=-3506 OR 7339=7339&page=1jscurtab=
path/joomsport_season/new-yorkers/?action=playerlist
  • Monitor POST requests to paths matching the pattern /joomsport_season/*/ with the `action=playerlist` query parameter — the vulnerable `sid` POST body parameter is the injection point.
  • Alert on boolean-based blind SQLi patterns in the `sid` POST parameter, e.g. negative integer values followed by OR boolean tautologies (e.g. `OR 7339=7339`).
  • Use the Google dork `intext:powered by JoomSport - sport WordPress plugin` to identify exposed vulnerable instances.
  • ·The example path `/wordpress/joomsport_season/new-yorkers/` uses a sample slug ('new-yorkers'); the actual slug will vary per installation — detection rules should wildcard the season/team slug segment.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.