cleantalk
Vulnerabilities and Security Researches

Tournamatch, CVE-2025-4594

CVE, Research URL

CVE-2025-4594

Home page URL

Security reports for Tournamatch

Application

Tournamatch

Published on
May 23, 2025
Research Description
The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 4.6.2.
Status
vulnerable
Previous vulnerability researches
Drop Caps (CVE-2025-46495) , Apr 26, 2025
New vulnerability
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light (CVE-2025-48123) , Jun 04, 2025
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light (CVE-2025-48129) , Jun 04, 2025
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light (CVE-2025-48124) , Jun 04, 2025
Best Contact Management Software for WordPress (CVE-2025-5539) , Jun 04, 2025
Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin (CVE-2025-47585) , Jun 04, 2025