Vulnerabilities and security researches forsportspress sportspress

Feb 27, 2026

CVE, Research URL: CVE-2025-15368
Home page URL: Security reports for SportsPress – Sports Club & League Manager
Application: SportsPress – Sports Club & League Manager
Date: Feb 04, 2026
Research Description: The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Affected versions: max 2.7.26.
Status: vulnerable

Aug 01, 2024

CVE, Research URL: CVE-2024-3986
Home page URL: Security reports for SportsPress – Sports Club & League Manager
Application: SportsPress – Sports Club & League Manager
Date: Jul 30, 2024
Research Description: The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 2.7.22.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-24578
Home page URL: Security reports for SportsPress – Sports Club & League Manager
Application: SportsPress – Sports Club & League Manager
Date: Dec 21, 2021
Research Description: The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue
Affected versions: max 2.7.9.
Status: vulnerable

CVE, Research URL: CVE-2020-13892
Home page URL: Security reports for SportsPress – Sports Club & League Manager
Application: SportsPress – Sports Club & League Manager
Date: Jun 09, 2020
Research Description: The SportsPress plugin before 2.7.2 for WordPress allows XSS.
Affected versions: max 2.7.2.
Status: vulnerable

CVE, Research URL: CVE-2024-1178
Home page URL: Security reports for SportsPress – Sports Club & League Manager
Application: SportsPress – Sports Club & League Manager
Date: Mar 05, 2024
Research Description: The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs
Affected versions: max 2.7.18.
Status: vulnerable

CVE, Research URL: CVE-2024-34824
Home page URL: Security reports for SportsPress – Sports Club & League Manager
Application: SportsPress – Sports Club & League Manager
Date: Jun 11, 2024
Research Description: Missing Authorization vulnerability in ThemeBoy SportsPress – Sports Club & League Manager.This issue affects SportsPress – Sports Club & League Manager: from n/a through 2.7.20.
Affected versions: max 2.7.21.
Status: vulnerable