The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
History

Wed, 28 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Lukashuser
Lukashuser ekc Tournament Manager
Weaknesses CWE-352
CPEs cpe:2.3:a:lukashuser:ekc_tournament_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Lukashuser
Lukashuser ekc Tournament Manager

Fri, 16 May 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 15 May 2025 20:15:00 +0000

Type Values Removed Values Added
Description The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Title EKC Tournament Manager < 2.2.2 - Delete Tournaments via CSRF
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2025-05-15T20:07:22.830Z

Updated: 2025-05-16T20:29:55.401Z

Reserved: 2024-10-09T19:37:31.231Z

Link: CVE-2024-9711

cve-icon Vulnrichment

Updated: 2025-05-16T20:29:49.406Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-15T20:16:01.200

Modified: 2025-05-28T15:41:03.570

Link: CVE-2024-9711

cve-icon Redhat

No data.