A high-severity stored XSS vulnerability (CVE-2025-57424) was discovered in MyCourts tennis booking platform, allowing attackers to hijack user sessions through malicious JavaScript injected in LTA number fields. The vulnerability received a CVSS score of 7.3 and has been patched by the vendor following responsible disclosure. Tennis clubs using the platform should verify they're running the August 2025 release or later and review user activity for suspicious access.
Table of contents
What Happened?How the Attack WorkedThe Real-World RiskThe Good NewsWhat Tennis Clubs Should DoLessons for Web SecurityThe Importance of Responsible DisclosureMoving ForwardSort: