CVE-2026-42647
Published: 11 June 2026
Summary
CVE-2026-42647 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-42647 is a blind SQL injection vulnerability (CWE-89) in the Beardev JoomSport WordPress plugin, caused by improper neutralization of special elements in SQL commands. The flaw affects all versions through 5.7.7 and carries a CVSS 3.1 score of 9.3, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.
An unauthenticated remote attacker can supply crafted input to trigger the injection, enabling extraction of sensitive database contents through blind techniques while also producing limited availability effects. The vulnerability is exploitable directly over the network against any instance of the affected plugin.
The primary public reference is the Patchstack advisory entry for the JoomSport plugin, which documents the SQL injection issue in version 5.7.7. No separate patch or mitigation details are provided in the available references.
EPSS remains flat at 0.0518 with no material increase from its initial value.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-36359
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated network exploitation of public-facing WordPress plugin via blind SQL injection for DB data extraction.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to block crafted SQL syntax that enables the blind injection described in CVE-2026-42647.
Mandates timely remediation of the known SQL-injection flaw in JoomSport versions through 5.7.7 before exploitation occurs.
Enables monitoring of database or application traffic to identify anomalous queries indicative of blind SQL injection attempts.