CVE-2025-7721 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Programs) affecting the WordPress plugin 'JoomSport – for Sports: Team & League, Football, Hockey & more' developed by beardev. This vulnerability exists in all versions up to and including 5.7.3 and allows unauthenticated attackers to exploit a Local File Inclusion (LFI) flaw via the 'task' parameter. By manipulating this parameter, attackers can include arbitrary PHP files on the server, leading to remote code execution (RCE). This occurs because the plugin fails to properly sanitize or validate the filename input used in PHP include or require statements. The attacker can upload malicious PHP files (if upload functionality is available elsewhere or via other vulnerabilities) and then execute them by including them through the vulnerable parameter. The impact includes bypassing access controls, unauthorized data disclosure, and full system compromise. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with attack vector Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, but the ease of exploitation and severity make it a high-risk threat. The vulnerability was reserved in July 2025 and published in October 2025. No patches or fixes are currently linked, suggesting that users must monitor for updates or apply mitigations proactively.

For European organizations, this vulnerability poses a significant risk, especially for those using WordPress sites with the JoomSport plugin to manage sports-related content. The ability for unauthenticated attackers to execute arbitrary PHP code can lead to complete server takeover, data breaches involving sensitive user or organizational data, defacement of websites, and disruption of services. This can damage reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data exposure), and cause financial losses. Sports organizations, fan communities, and media outlets relying on this plugin are particularly vulnerable. The critical nature of the flaw means attackers can operate remotely without any credentials or user interaction, increasing the likelihood of automated exploitation attempts. Given the widespread use of WordPress in Europe and the popularity of sports content, the threat surface is substantial. Additionally, compromised sites could be used as pivot points for further attacks within corporate networks or to distribute malware to visitors.

1. Immediate mitigation involves disabling or uninstalling the vulnerable JoomSport plugin until a patch is released. 2. If disabling is not feasible, restrict access to the vulnerable parameter by implementing Web Application Firewall (WAF) rules that block requests containing suspicious 'task' parameter values or attempts to include files. 3. Harden file upload mechanisms on the server to prevent uploading of executable PHP files, including strict MIME type and extension checks, and storing uploads outside the web root. 4. Employ PHP configuration settings such as 'open_basedir' to restrict file inclusion to safe directories. 5. Monitor web server logs for unusual requests targeting the 'task' parameter or attempts to include files. 6. Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patching. 7. Conduct regular security audits and penetration testing focusing on file inclusion and code execution vulnerabilities. 8. Implement least privilege principles for web server and PHP process permissions to limit the impact of any successful exploitation.