CVE-2025-15368 is a Local File Inclusion vulnerability classified under CWE-98, affecting the SportsPress – Sports Club & League Manager plugin for WordPress. The vulnerability exists in all versions up to and including 2.7.26 and is triggered via the 'template_name' attribute in shortcodes. Authenticated users with contributor-level or higher permissions can manipulate this attribute to include arbitrary files from the server filesystem. If an attacker can upload PHP files (e.g., via other plugin vulnerabilities or misconfigurations), they can execute arbitrary PHP code, leading to full remote code execution on the server. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity. The impact includes full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 score of 8.8 reflects the high impact and ease of exploitation. No official patches or updates are currently linked, increasing the urgency for mitigation. The vulnerability enables attackers to bypass access controls, access sensitive data, and execute arbitrary commands, posing a significant threat to WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant risk, especially for those operating sports clubs, leagues, or event management websites using WordPress with the SportsPress plugin. Successful exploitation can lead to full server compromise, data breaches involving personal or financial information, defacement, or use of the server as a pivot point for further attacks. The impact extends to loss of customer trust, regulatory penalties under GDPR for data breaches, and operational disruptions. Organizations relying on contributor-level user roles for content management are particularly vulnerable. Given the widespread use of WordPress across Europe and the popularity of SportsPress in sports and event management sectors, the potential scale of impact is considerable. Attackers could exploit this vulnerability to deploy malware, ransomware, or conduct espionage, especially targeting organizations with valuable sports-related data or high-profile events.

Immediate mitigation steps include restricting contributor-level user permissions to trusted individuals only and auditing existing user roles to minimize risk exposure. Organizations should implement strict file upload controls and disable the ability to upload executable PHP files unless absolutely necessary. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the 'template_name' shortcode attribute. Monitoring logs for unusual file inclusion attempts is critical. Until an official patch is released, consider disabling or removing the SportsPress plugin if feasible. Additionally, applying the principle of least privilege on the server file system can limit the impact of file inclusion. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs. Engage with the plugin vendor or community for updates and patches, and subscribe to vulnerability disclosure channels for timely information.