CVE-2024-49674: 
WordPress vulnerability analysis and mitigation

The CVE-2024-49674 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the EKC Tournament Manager WordPress plugin, affecting versions up to and including 2.2.1. The vulnerability was discovered by Joshua Chan and publicly disclosed on October 21, 2024. This security flaw allows attackers to potentially upload a web shell to the web server (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation on certain functions within the plugin. It has been assigned a CVSS v3.1 base score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (Patchstack).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the web server through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link. This could potentially lead to complete system compromise through web shell upload (WPScan).

The vulnerability has been patched in version 2.2.2 of the EKC Tournament Manager plugin. Users are strongly advised to update to this version or later to mitigate the security risk. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).