CVE-2025-7721

CVE-2025-7721 is a Local File Inclusion (LFI) vulnerability, classified under CWE-98, affecting the JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress in all versions up to and including 5.7.3. The flaw resides in the handling of the 'task' parameter within the plugin's controller, specifically in the class-jsport-controller.php file around line 74, enabling the inclusion and execution of arbitrary .php files on the server. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation without authentication or user interaction.

Unauthenticated attackers can exploit this vulnerability over the network by manipulating the 'task' parameter to specify paths to arbitrary .php files, leading to their execution on the server. Successful exploitation allows attackers to execute PHP code from included files, bypassing access controls, accessing sensitive data, or achieving remote code execution (RCE) in scenarios where .php file uploads are possible elsewhere on the site.

Advisories from Wordfence detail the vulnerability in their threat intelligence report, while the WordPress plugin trac provides evidence of the fix in changeset 3371353, which patches the insecure file inclusion logic in the affected controller class. Security practitioners should update to a version beyond 5.7.3 and review server configurations to restrict file inclusion paths, as recommended by these sources.