WordPress Plugin Vulnerabilities

EKC Tournament Manager < 2.2.2 - Delete Tournaments via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
ekc-tournament-manager
Fixed in 2.2.2

References

CVE
CVE-2024-9711

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Vuln Seeker Cybersecurity Team
Submitter
Vuln Seeker Cybersecurity Team
Submitter website
https://vulnseeker.org
Verified
Yes
WPVDB ID
daee95c5-006e-4a83-b92a-7faa3e89d985

Timeline

Publicly Published
2024-09-10 (about 1 year ago)
Added
2024-11-14 (about 1 year ago)
Last Updated
2025-01-10 (about 11 months ago)

Other

Published
Title
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Cross-Site Request Forgery to Arbitrary Post Deletion
Published
2023-03-17
Title
WooCommerce Weight Based Shipping < 5.5.0 - Settings Update via CSRF
Published
2024-01-04
Title
Depicter Slider < 2.0.7 - Settings Update via CSRF
Published
2025-12-08
Title
Advanced Product Fields (Product Addons) for WooCommerce < 1.6.18 - Cross-Site Request Forgery to Product Field Group Duplication and Publication
Published
2024-08-22
Title
Blog Introduction <= 0.3.0 - Settings Update via CSRF