A critical security flaw has been identified in MyCourts, a widely used platform for tennis court bookings and league management in the UK. The vulnerability, known as CVE-2025-57424, could have allowed malicious actors to hijack user sessions and gain unauthorized access to accounts.
What Occurred?
Security researcher William Fieldhouse from Aardwolf Security discovered a stored cross-site scripting (XSS) vulnerability within MyCourts. Surprisingly, the vulnerability was found in the Lawn Tennis Association (LTA) number field within user profiles.
The severity of the vulnerability was rated at 7.3 on the CVSS scale, categorizing it as high risk. Although the issue has since been rectified, it underscores the significance of web application penetration testing.
Exploitation Technique
The vulnerability exploited a common security weakness in web applications: inadequate input validation. When users input their LTA number in their profiles, the application failed to properly validate or sanitize the data before storing it in the database.
By injecting malicious JavaScript code into this field, an attacker could execute the code in the browsers of other users who viewed the attacker’s profile in the directory. The attack unfolded in the following sequence:
- The attacker creates a profile with malicious code in the LTA number field
- Legitimate users visit the attacker’s profile in the directory
- The malicious JavaScript automatically runs in the victims’ browsers
- The script steals the victims’ session cookies
- The attacker leverages the stolen session to access the victims’ accounts
The absence of the HttpOnly flag on MyCourts session cookies enabled JavaScript to access these cookies, facilitating the session hijacking attack.
Real-World Implications
This vulnerability wasn’t just theoretical. The exploitation path was straightforward and could have resulted in severe repercussions:
Session Hijacking: Attackers could seize active administrator sessions, granting them full control over club management functions.
Account Takeover: With pilfered sessions, attackers could manipulate bookings, alter user details, access financial data, and more.
Persistent Access: Once in possession of session tokens, attackers could sustain unauthorized access without re-authentication.
Data Breach: Complete access to sensitive user information, booking records, and potentially payment particulars stored in the system.
Positive Developments
HBI Consulting Ltd, the developer of MyCourts, promptly and professionally addressed the vulnerability. The flaw was reported in August 2025, and a fix was implemented within the same month as part of their routine monthly release cycle.
Aardwolf Security independently verified the remediation, confirming the successful resolution of the stored XSS vulnerability.
