Vulnerabilities and security researches forsports-club-management sports-club-management

Apr 13, 2026

CVE, Research URL: CVE-2026-4871
Home page URL: Security reports for Sports Club Management
Application: Sports Club Management
Date: Apr 08, 2026
Research Description: The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.12.9.
Status: vulnerable