Scan free
CRITICALCVE-2024-49674CVSS 9.6

CVE-2024-49674: CSRF in EKC Tournament Manager

Platform

wordpress

Component

ekc-tournament-manager

Fixed in

2.2.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2024-49674 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in EKC Tournament Manager, a WordPress plugin. This vulnerability allows an attacker to upload a malicious web shell to the web server, granting them unauthorized access and control. The vulnerability affects versions of EKC Tournament Manager up to and including 2.2.1, and a patch is available in version 2.2.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this CSRF vulnerability is severe. Successful exploitation allows an attacker to bypass access controls and upload a web shell. A web shell provides a remote command execution interface, effectively granting the attacker complete control over the affected web server. This can lead to data breaches, defacement of the website, installation of malware, and potentially lateral movement within the network. The ability to upload arbitrary code significantly expands the attack surface and increases the potential for long-term compromise.

Exploitation Context

This vulnerability was publicly disclosed on 2024-10-31. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation (CSRF) suggest a high likelihood of exploitation attempts. The ability to upload a web shell makes this a particularly attractive target for malicious actors. No KEV listing at the time of writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.12% (32% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H9.6CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentekc-tournament-manager
VendorLukas Huser
Affected rangeFixed in
0.0.0 – 2.2.12.2.2

Package Information

Active installs
20Niche
Plugin rating
0.0
Requires WordPress
6.0+
Compatible up to
6.9.4
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-49674 is to immediately upgrade EKC Tournament Manager to version 2.2.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing strict input validation and output encoding on all user-supplied data within the plugin. Additionally, implement a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Monitor web server access logs for suspicious file uploads or unusual activity.

How to fix

Update the EKC Tournament Manager plugin to the latest available version. If no version is available, consider disabling the plugin until a patched version is released. See the developer's website for more information and updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-49674 — CSRF in EKC Tournament Manager?

CVE-2024-49674 is a critical Cross-Site Request Forgery (CSRF) vulnerability in EKC Tournament Manager allowing attackers to upload web shells. This grants them control over the web server.

Am I affected by CVE-2024-49674 in EKC Tournament Manager?

You are affected if you are using EKC Tournament Manager versions 2.2.1 or earlier. Upgrade to 2.2.2 to resolve the vulnerability.

How do I fix CVE-2024-49674 in EKC Tournament Manager?

Upgrade EKC Tournament Manager to version 2.2.2 or later. If immediate upgrade is not possible, implement input validation and a Content Security Policy (CSP).

Is CVE-2024-49674 being actively exploited?

While no active exploitation campaigns have been confirmed, the critical severity and ease of exploitation suggest a high likelihood of exploitation attempts.

Where can I find the official EKC Tournament Manager advisory for CVE-2024-49674?

Refer to the official EKC Tournament Manager website or WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs