Description
The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via shortcode input
Action: Patch Immediately
AI Analysis

Impact

The vulnerability lies in insufficient input sanitization within the Tournament Bracket Generator’s ‘bracket’ shortcode. Authenticated users with contributor or higher privileges can embed malicious scripts as shortcode attributes that are stored in the database without escaping. When any site visitor accesses a page containing the injected shortcode, the malicious script executes in that visitor’s browser, allowing attackers to steal session data, deface content, or dispatch further payloads. This flaw is a classic stored XSS vulnerability identified as CWE‑79.

Affected Systems

Blakelong’s Tournament Bracket Generator plugin for WordPress, all releases up to and including version 1.0.0, is affected. Users running any of those versions on a WordPress installation are vulnerable; no other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate to high severity. The EPSS score is under 1 %, implying a low but non‑zero likelihood of exploitation. The vulnerability is not included in the CISA KEV catalog. Exploitation requires authentication with contributor or higher role; an attacker could then post content that includes a malicious shortcode, causing the payload to run on all visitors who view the affected page.

Generated by OpenCVE AI on April 20, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tournament Bracket Generator plugin to the latest release to eliminate the unsafe shortcode handling.
  • If upgrading immediately is not possible, disable the plugin’s ‘bracket’ shortcode or remove any instances of it from posts and pages until a patch is applied.
  • Configure a stringent Content Security Policy that blocks inline scripts and disallows execution of scripts from untrusted sources to mitigate the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 20, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19386 The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 07 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Blakelong
Blakelong tournament Bracket Generator
CPEs cpe:2.3:a:blakelong:tournament_bracket_generator:*:*:*:*:*:wordpress:*:*
Vendors & Products Blakelong
Blakelong tournament Bracket Generator

Fri, 27 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Tournament Bracket Generator <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via bracket Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Blakelong Tournament Bracket Generator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:02.629Z

Reserved: 2025-06-19T07:32:17.793Z

Link: CVE-2025-6290

cve-icon Vulnrichment

Updated: 2025-06-27T14:41:35.151Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-26T02:15:22.733

Modified: 2025-07-08T11:32:32.773

Link: CVE-2025-6290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses