WordPress Security Bulletin: SportsPress Plugin Vulnerability (CVE-2025-15368)

On this page

Security Alert Summary

The SportsPress plugin for WordPress contains a Local File Inclusion (LFI) vulnerability via the shortcode template_name attribute in all versions up to and including 2.7.26. Authenticated users with contributor-level permissions or higher can include and execute files on the server, which may allow execution of PHP code, bypassing of access controls, or exposure of sensitive data if PHP files can be uploaded and included.


CVE Details

  • CVE ID: CVE-2025-15368
  • Affected plugin / component: SportsPress plugin for WordPress (shortcode handling via template_name attribute)
  • Affected versions: All versions up to and including 2.7.26
  • Published: February 4, 2026 at 2:16:08 PM UTC
  • Last modified: February 4, 2026 at 4:33:44 PM UTC
  • CVSS v3.1: Base Score 8.8, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Authentication / privileges / user interaction: Authentication required — attacker must have low privileges (PR:L). The CVE description specifies authenticated users with contributor-level and above. User interaction: None (UI:N).
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • CWE / weakness: CWE-98
  • Vulnerability status: Awaiting Analysis (as stated in the CVE entry)
  • Fixed version: Not specified in the CVE entry.

Technical Details

The vulnerability is a Local File Inclusion (LFI) that arises from insufficient validation or sanitization of the template_name attribute used by SportsPress shortcodes. When the plugin processes that shortcode attribute, an authenticated user with contributor-level or higher privileges can cause the application to include files from the server filesystem. If an attacker can upload a PHP file or otherwise place a PHP-containing file on the server and then cause it to be included, the PHP code in that file may execute in the context of the web server.

The CVE description indicates the weakness enables inclusion and execution of arbitrary files, which can be used to bypass access controls or obtain sensitive data. The vulnerability exists because the plugin does not adequately restrict which files may be referenced by the template_name shortcode attribute before including them.


How This Could Impact Your Website

In a typical site setup, the site owner manages the plugin and administrative settings, internal staff (editors or contributors) manage content, and external contractors or contributors may have contributor-level access. An attacker with contributor-level access could exploit this vulnerability to include files from the server. Practical consequences include exposure of internal files and sensitive data, and the potential execution of PHP code if a suitable file is included.

Realistic impacts include disclosure of internal user information such as email addresses or configuration files, and increased risk of targeted phishing or social engineering if attacker-controlled data is exposed. The vulnerability does not require user interaction and can be exploited by an authenticated contributor-level account.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and higher.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, file uploads, or unauthorized includes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References