Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch tournamatch allows Reflected XSS.This issue affects Tournamatch: from n/a through <= 4.7.0.
Published: 2025-04-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows reflected XSS. When a crafted value is included in a request, the Tournamatch plugin echoes it back without adequate escaping, enabling an attacker to run arbitrary JavaScript in the victim’s browser. This can lead to credential theft, session hijacking, defacement or the execution of other malicious payloads within the context of the site.

Affected Systems

All installations of the WordPress Tournamatch plugin up to and including version 4.7.0 are affected. The issue originates from the Tournamatch:Tournamatch product. No other plugins or core WordPress components are mentioned as impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% shows a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS attack that requires an attacker to supply a crafted URL or form input; the payload is executed only in the client’s browser and does not affect server integrity or data confidentiality. Due to the client‑side nature of the flaw, widespread impact would rely on users clicking malicious links or visiting infected pages.

Generated by OpenCVE AI on April 30, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tournamatch plugin to the latest version (4.8.0 or later) which removes the XSS flaw.
  • If an upgrade is not immediately possible, deactivate or uninstall the plugin to eliminate the vulnerable code path.
  • Configure a web application firewall to filter and block attempts to inject script payloads into requests handled by Tournamatch.
  • Use content security policy headers on the site to restrict the execution of inline scripts, thereby limiting the impact if the flaw is still present.

Generated by OpenCVE AI on April 30, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10756 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch allows Reflected XSS. This issue affects Tournamatch: from n/a through 4.6.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch allows Reflected XSS. This issue affects Tournamatch: from n/a through 4.6.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch tournamatch allows Reflected XSS.This issue affects Tournamatch: from n/a through <= 4.7.0.
Title WordPress Tournamatch Plugin <= 4.6.1 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Tournamatch plugin <= 4.7.0 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch allows Reflected XSS. This issue affects Tournamatch: from n/a through 4.6.1.
Title WordPress Tournamatch Plugin <= 4.6.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.160Z

Reserved: 2025-04-09T11:20:27.475Z

Link: CVE-2025-32600

cve-icon Vulnrichment

Updated: 2025-04-11T15:25:47.253Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:31.247

Modified: 2026-04-23T15:29:11.247

Link: CVE-2025-32600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')