A critical vulnerability has been identified in multiple JoomSport products, specifically the WordPress plugin suite. This flaw allows an unauthenticated attacker to access and execute local files on the server, which could lead to a complete compromise of the affected website, including sensitive data theft, server takeover, and further attacks launched from the compromised system.

The vulnerability is a Local File Inclusion (LFI) flaw within the "JoomSport – for Sports" WordPress plugin. An unauthenticated attacker can exploit this by manipulating the task parameter in a request to the plugin. By supplying specially crafted input, such as directory traversal sequences (../), an attacker can force the application to include and process arbitrary files from the server's local filesystem. This can be used to disclose sensitive information, such as configuration files containing database credentials (e.g., wp-config.php), or achieve Remote Code Execution (RCE) if combined with other techniques like log poisoning or file upload capabilities.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the organization. Successful exploitation could lead to a complete loss of confidentiality, integrity, and availability for the affected web server and its data. Potential consequences include theft of customer data, intellectual property, or financial information; website defacement; and the use of the compromised server as a pivot point for further attacks against the internal network. The reputational damage and potential regulatory fines resulting from a data breach would be severe.

Immediate Action: Immediately update The JoomSport Multiple Products to the latest patched version as recommended by the vendor. After patching, review web server access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: System administrators should actively monitor web server logs for requests targeting the JoomSport plugin that contain directory traversal payloads (e.g., ../, %2e%2e%2f) within the task parameter. Implement file integrity monitoring on core application files to detect unauthorized changes.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Ensure the web server process is running with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: true

Given the critical severity (CVSS 9.8) and the availability of public exploits, this vulnerability must be treated as a top priority. The risk of server compromise is extremely high. We strongly recommend applying the vendor-supplied patches to all affected systems immediately. If patching is delayed for any reason, the compensating controls listed above should be implemented without delay. Do not wait for this CVE to appear on the CISA KEV list to take action.