SportsPress – Sports Club & League Manager <= 2.7.8 is vulnerable to Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated

Published
2021-11-15

The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue

CVE

https://www.cve.org/CVERecord?id=CVE-2021-24578

CVSS

Score:6.1

Severity:Medium

Version: 2.7.8

There is a patch available in v2.7.9 and we strongly recommend you update to this version as soon as possible.