{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4871", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T21:57:19.644Z", "datePublished": "2026-04-08T06:43:38.173Z", "dateUpdated": "2026-04-08T18:54:20.614Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:53.866Z"}, "affected": [{"vendor": "pstruik", "product": "Sports Club Management", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30a6d334-3838-4ed4-b688-c3887d9091c0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sports-club-management/tags/1.12.9/code/members_shortcodes.php#L129"}, {"url": "https://plugins.trac.wordpress.org/browser/sports-club-management/trunk/code/members_shortcodes.php#L129"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-04-07T17:38:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:53:32.655876Z", "id": "CVE-2026-4871", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:54:20.614Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4871", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:22.690", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sports-club-management/tags/1.12.9/code/members_shortcodes.php#L129"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sports-club-management/trunk/code/members_shortcodes.php#L129"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30a6d334-3838-4ed4-b688-c3887d9091c0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Sports Club Management", "source": "cna", "vendor": "pstruik"}, "product": "sports_club_management", "vendor": "pstruik"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:24:31.696728+00:00", "value": {"mitigation_remediation": ["Update the Sports Club Management plugin to the latest version (1.13 or newer).", "If an update is unavailable, remove or disable use of the scm_member_data shortcode from content to stop the vulnerable attribute usage.", "After update or removal, confirm that no legacy shortcode instances remain in posts or pages."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw is present in all releases of the Sports Club Management WordPress plugin up to and including version\u202f1.12.9. The affected product is the plugin developed by pstruik, distributed through the WordPress plugin repository. End\u2011users running these versions on any WordPress installation are at risk.", "description_and_impact": "The Sports Club Management plugin accepts arbitrary input through its 'before' and 'after' shortcode attributes. When a user with Contributor or higher authority supplies unsanitized content, the strings are stored and later rendered directly into the page. This allows the attacker to inject malicious JavaScript that executes in the browser context of any visitor who views the affected page, potentially exposing session data or performing other malicious actions. The vulnerability aligns with CWE\u201179: Improper Neutralization of Input During Web Page Generation.", "risk_and_exploitability": "The static CVSS score is 6.4, indicating medium severity, while no EPSS data is available and this vulnerability is not cataloged in CISA\u2019s KEV list. The required privilege level is Contributor or higher, which is typically granted to authenticated users who need to edit content. Once the malicious script is embedded, any visitor to the page will execute it, turning the vulnerability into a broad cross\u2011site scripting vector. Exploit is straightforward for an attacker with the necessary role; the attacker must simply add content to a page or post using the shortcode. The impact is confined to the affected WordPress site and its users, but can lead to cookie theft, session hijack, defacement, or further compromise."}}}}, "created": "2026-04-08T19:31:14.363140+00:00", "updated": "2026-04-08T19:43:47.731815+00:00", "vendors": ["pstruik", "pstruik$PRODUCT$sports_club_management", "wordpress", "wordpress$PRODUCT$wordpress"]}