CVE-2024-9709: 
WordPress vulnerability analysis and mitigation

The EKC Tournament Manager WordPress plugin before version 2.2.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that affects its settings update functionality. The vulnerability was discovered and publicly published on October 9, 2024, and has been assigned the identifier CVE-2024-9709 (MITRE CVE, NVD).

The vulnerability stems from the absence of CSRF protection mechanisms when updating plugin settings. This security flaw has been assigned a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and affects the plugin's tournament and team creation functionality (WPScan).

When exploited, this vulnerability could allow attackers to manipulate plugin settings by tricking authenticated administrators into executing unwanted actions. The impact includes potential unauthorized changes to tournament and team configurations within the plugin (WPScan).

The vulnerability has been patched in version 2.2.2 of the EKC Tournament Manager plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).