Platform
wordpress
Component
ekc-tournament-manager
Fixed in
2.2.2
CVE-2024-49674 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in EKC Tournament Manager, a WordPress plugin. This vulnerability allows an attacker to upload a malicious web shell to the web server, granting them unauthorized access and control. The vulnerability affects versions of EKC Tournament Manager up to and including 2.2.1, and a patch is available in version 2.2.2.
The impact of this CSRF vulnerability is severe. Successful exploitation allows an attacker to bypass access controls and upload a web shell. A web shell provides a remote command execution interface, effectively granting the attacker complete control over the affected web server. This can lead to data breaches, defacement of the website, installation of malware, and potentially lateral movement within the network. The ability to upload arbitrary code significantly expands the attack surface and increases the potential for long-term compromise.
This vulnerability was publicly disclosed on 2024-10-31. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation (CSRF) suggest a high likelihood of exploitation attempts. The ability to upload a web shell makes this a particularly attractive target for malicious actors. No KEV listing at the time of writing.
Exploit Status
EPSS
0.12% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-49674 is to immediately upgrade EKC Tournament Manager to version 2.2.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing strict input validation and output encoding on all user-supplied data within the plugin. Additionally, implement a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Monitor web server access logs for suspicious file uploads or unusual activity.
Update the EKC Tournament Manager plugin to the latest available version. If no version is available, consider disabling the plugin until a patched version is released. See the developer's website for more information and updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-49674 is a critical Cross-Site Request Forgery (CSRF) vulnerability in EKC Tournament Manager allowing attackers to upload web shells. This grants them control over the web server.
You are affected if you are using EKC Tournament Manager versions 2.2.1 or earlier. Upgrade to 2.2.2 to resolve the vulnerability.
Upgrade EKC Tournament Manager to version 2.2.2 or later. If immediate upgrade is not possible, implement input validation and a Content Security Policy (CSP).
While no active exploitation campaigns have been confirmed, the critical severity and ease of exploitation suggest a high likelihood of exploitation attempts.
Refer to the official EKC Tournament Manager website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.