New Update problem

@ weblegion,

Glad it worked out.

An SQL Injection vulnerability exists in the league_id parameter of a function call made by the leaguemanager_export page. This request is processed within the leaguemanager.php:

if ( isset($_POST[‘leaguemanager_export’]))
$lmLoader->adminPanel->export($_POST[‘league_id’], $_POST[‘mode’]);

Which does not sanitize of SQL injection, and is passed to the admin/admin.php page into the export( $league_id, $mode ) function which also does not sanitize for SQL injection
when making this call: $this->league = $leaguemanager->getLeague($league_id);
The information is then echoed to a CSV file that is then provided.

Since no authentication is required when making a POST request to this page,
i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established session.

Fix:

SOLUTION is: Revert back to previous version (version 3.8)
A possible fix for this would be to cast the league_id to an integer during any of the function calls. The following changes can be made in the leaguemanager.php file:
in the end of file change:

$lmLoader->adminPanel->export($_POST[‘league_id’], $_POST[‘mode’]);

with:

$lmLoader->adminPanel->export((int)$_POST[‘league_id’], $_POST[‘mode’]);

solution from: http://bot24.blogspot.it/2013/03/wordpress-leaguemanager-plugin-38-sql.html

for me it’s working.
if you want to stop the advise of upload in wordpress change the version from 3.8 to 3.8.1 on top of the same file: leaguemanager php.