The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
History

Wed, 28 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Lukashuser
Lukashuser ekc Tournament Manager
Weaknesses CWE-352
CPEs cpe:2.3:a:lukashuser:ekc_tournament_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Lukashuser
Lukashuser ekc Tournament Manager

Fri, 16 May 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 15 May 2025 20:15:00 +0000

Type Values Removed Values Added
Description The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Title EKC Tournament Manager < 2.2.2 - Create Tournaments/Teams via CSRF
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2025-05-15T20:07:22.641Z

Updated: 2025-05-16T20:32:47.207Z

Reserved: 2024-10-09T19:35:57.459Z

Link: CVE-2024-9709

cve-icon Vulnrichment

Updated: 2025-05-16T20:32:41.727Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-15T20:16:01.107

Modified: 2025-05-28T15:41:13.123

Link: CVE-2024-9709

cve-icon Redhat

No data.