Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-04
CVE-2025-15368 - Sportspress Plugin
The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Sportspress
CVE-2025-15368
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-3986 - Sportspress Plugin
The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Sportspress
CVE-2024-3986
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-1178 - Sportspress Plugin
The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs
PLUGIN
Sportspress
CVE-2024-1178
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24578 - Sportspress Plugin
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Sportspress
CVE-2021-24578
Risk Score