Description
The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Tournamatch WordPress plugin contains a stored cross‑site scripting flaw in the 'trn-ladder-registration-button' shortcode. Insufficient sanitization and escaping of user supplied attributes allow an authenticated attacker with contributor‑level or higher permissions to inject arbitrary JavaScript. Once injected, the script executes every time a site visitor accesses the affected page, potentially leading to session hijacking, credential theft, defacement, or further spread of malware. The weakness is a classic input validation error (CWE‑79).

Affected Systems

The vulnerability affects the Tournamatch plugin for WordPress, in all releases up to and including version 4.6.1. Administrators using any of these versions should verify that they are running the plugin at that revision or earlier.

Risk and Exploitability

The weakness carries a CVSS score of 6.4, indicating moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation at the current time, and the issue is not listed in the CISA KEV catalog. The attack vector requires authenticated access with contributor‑level privileges, meaning the attacker must already have a valid user account on the site. Once the payload is stored, every visitor to the page will run the malicious code, so the impact could be widespread across the website's user base. Given the low EPSS, exploitation is not yet prevalent, but the moderate CVSS warrants proactive remediation.

Generated by OpenCVE AI on April 20, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tournamatch to version 4.6.2 or later, which applies proper input sanitization and output escaping for the affected shortcode.
  • If an upgrade cannot be performed immediately, remove or disable the 'trn‑ladder‑registration‑button' shortcode from public pages and restrict contributor permissions to prevent privileged users from inserting malicious attributes.
  • Implement site‑wide output escaping policies or use a web application firewall rule to block suspicious JavaScript injection patterns in user supplied input.

Generated by OpenCVE AI on April 20, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28026 The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00037}

 epss

{'score': 0.00033}

Fri, 11 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Tournamatch
Tournamatch tournamatch
CPEs cpe:2.3:a:tournamatch:tournamatch:*:*:*:*:*:wordpress:*:*
Vendors & Products Tournamatch
Tournamatch tournamatch

Fri, 23 May 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Tournamatch Tournamatch
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:48.225Z

Reserved: 2025-05-12T15:40:39.500Z

Link: CVE-2025-4594

cve-icon Vulnrichment

Updated: 2025-05-23T12:37:59.206Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-23T04:15:33.487

Modified: 2025-07-11T19:49:23.317

Link: CVE-2025-4594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses