cleantalk
Vulnerabilities and Security Researches

Tournamatch, CVE-2025-4594

CVE, Research URL

CVE-2025-4594

Home page URL

Security reports for Tournamatch

Application

Tournamatch

Published on
May 23, 2025
Research Description
The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 4.6.2.
Status
vulnerable
Previous vulnerability researches
Plugin Central (CVE-2025-46439) , Apr 26, 2025
Plugin Central (dc94c84bbc7a71287b02b5d483cdf884e1ca2777) , Jun 07, 2024
New vulnerability
Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin (CVE-2025-47585) , Jun 04, 2025
Leadinfo (CVE-2025-48271) , Jun 04, 2025
Free Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC (CVE-2025-4691) , Jun 04, 2025
WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance (CVE-2025-3951) , Jun 04, 2025
Year Make Model Search for WooCommerce (CVE-2025-48265) , Jun 04, 2025