CVE-2024-9711: 
WordPress vulnerability analysis and mitigation

The EKC Tournament Manager WordPress plugin before version 2.2.2 contains a Cross-Site Request Forgery (CSRF) vulnerability, discovered and disclosed on October 9, 2024. The vulnerability affects the plugin's settings update functionality, allowing potential manipulation of tournament settings (WIZ, CVE-MITRE).

The vulnerability stems from the absence of CSRF protection mechanisms when updating plugin settings. This security flaw has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD). A proof of concept demonstrates that by accessing a specific URL (http://example.com/wp-admin/admin.php?page=ekc-tournaments&action=delete&tournamentid=1), an attacker can delete tournaments due to the missing WordPress CSRF token in the request (WPSCAN).

The vulnerability allows attackers to manipulate plugin settings through CSRF attacks when a logged-in administrator accesses a maliciously crafted page. This could lead to unauthorized changes to tournament settings and potential deletion of tournament data (WIZ).

Users are advised to update to EKC Tournament Manager version 2.2.2 or later, which includes fixes for this vulnerability (WIZ).