All versions of the WordPress plugin JoomSport – for Sports: Team & League, Football, Hockey & more up to and including version 5.7.3 are affected by a Local File Inclusion (LFI) vulnerability. The issue arises from improper handling of the task parameter, allowing unauthenticated attackers to load and execute arbitrary PHP files on the server. This flaw could enable attackers to bypass access restrictions, gain access to sensitive data, or execute malicious code if PHP files can be uploaded and included.
References
- [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-7721)
- [MITRE CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7721)