CVE-2025-7721 — AI Deep Analysis Summary

🚨 **Essence**: Local File Inclusion (LFI) in JoomSport plugin via the `task` parameter.…

🛡️ **Root Cause**: CWE-98 (Improper Control of Filename for Include/Require). The flaw lies in how the `task` parameter is handled in `class-jsport-controller.php` without proper sanitization, allowing path traversal.

📦 **Affected**: WordPress Plugin **JoomSport** (by beardev). 📅 **Version**: 5.7.3 and earlier. 🌐 **Platform**: WordPress sites running this specific sports management plugin.

🕵️ **Attacker Capabilities**: Can read sensitive local files (e.g., config, source code).…

🔓 **Threshold**: **LOW**. CVSS indicates **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges Required), **UI:N** (No User Interaction). It is easily exploitable remotely without login.

📜 **Public Exploit**: No specific PoC code listed in the provided data. However, the vulnerability is well-documented in vendor changelogs and WordFence intel, making exploitation logic public knowledge.

🔍 **Self-Check**: Scan for JoomSport plugin version ≤ 5.7.3. Check if `task` parameter in requests is unsanitized. Look for LFI patterns in server logs targeting `class-jsport-controller.php`.

✅ **Fixed**: **YES**. Reference link `3371353` indicates a fix was committed to the WordPress plugin trunk. Users should update to the latest version immediately.

🚧 **No Patch Workaround**: If unable to update, restrict web server access to `class-jsport-controller.php`. Implement WAF rules to block LFI payloads in the `task` parameter. Disable plugin if not in use.

🔥 **Urgency**: **HIGH**. CVSS Vector is **Critical/High** (H/H/H). Since it requires no authentication and is network-accessible, immediate patching is strongly recommended to prevent remote code execution.