CVE-2022-2718: 
WordPress vulnerability analysis and mitigation

The JoomSport WordPress plugin (versions up to and including 5.2.5) was identified with a SQL Injection vulnerability (CVE-2022-2718). The vulnerability was discovered in the 'orderby' parameter on the joomsport-page-extrafields page, which was reported on September 6, 2022. This security issue affects the JoomSport – for Sports: Team & League, Football, Hockey & more plugin, a popular sports management solution for WordPress websites (NVD).

The vulnerability stems from insufficient escaping of the user-supplied 'orderby' parameter and inadequate preparation of existing SQL queries. The issue is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 7.2 (High) according to Wordfence, while NIST assigned a score of 4.9 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (NVD, Wordfence Advisory).

The vulnerability allows authenticated attackers with administrative privileges to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. This could lead to unauthorized access to and exposure of database contents (NVD).

The vulnerability was patched in version 5.2.6 of the JoomSport plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).