CVE-2025-7721: 
WordPress vulnerability analysis and mitigation

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-7721) affecting all versions up to and including 5.7.3. The vulnerability was discovered and disclosed on October 3, 2025 (NVD).

The vulnerability exists in the task parameter handling within the plugin, allowing unauthenticated attackers to include and execute arbitrary .php files on the server. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD, Wordfence).

The vulnerability allows attackers to bypass access controls, obtain sensitive data, and potentially achieve code execution in cases where .php file types can be uploaded and included. Due to the unauthenticated nature of the exploit and the high impact on system security, this vulnerability poses a significant risk to affected installations (NVD).

The vulnerability was patched in version 5.7.4 of the JoomSport plugin. Users are strongly advised to update to this version or later to protect their installations. The fix includes proper sanitization of the task parameter before file inclusion (WordPress Plugin).