Login Sign Up

CVE-2024-9765

6.5 MEDIUM

📋 TL;DR

The EKC Tournament Manager WordPress plugin before version 2.2.2 contains a directory traversal vulnerability that allows authenticated administrators to download arbitrary system files outside the WordPress directory. This affects WordPress sites using vulnerable versions of the plugin with administrator accounts.

💻 Affected Systems

Products:
  • EKC Tournament Manager WordPress Plugin
Versions: All versions before 2.2.2
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress administrator privileges to exploit. Plugin must be installed and active.

📦 What is this software?

Ekc Tournament Manager by Lukashuser

View all CVEs affecting Ekc Tournament Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator credentials are compromised, allowing attackers to download sensitive system files like /etc/passwd, configuration files, or database credentials, potentially leading to full system compromise.

🟠

Likely Case

Malicious administrator or compromised admin account downloads sensitive files containing credentials, configuration data, or other sensitive information.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized administrators who should already have system access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrator credentials. The vulnerability is publicly documented with proof-of-concept details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.2

Vendor Advisory: https://wpscan.com/vulnerability/c86157b0-43f3-4e82-9697-7dd9401b48d6/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find EKC Tournament Manager. 4. Click 'Update Now' if available, or download version 2.2.2+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the EKC Tournament Manager plugin until patched

wp plugin deactivate ekc-tournament-manager

Restrict admin access

all

Implement strict access controls and monitoring for administrator accounts

🧯 If You Can't Patch

  • Remove administrator access from untrusted users and implement strict access controls
  • Implement file integrity monitoring and alert on unusual file access patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → EKC Tournament Manager version. If version is below 2.2.2, system is vulnerable.

Check Version:

wp plugin get ekc-tournament-manager --field=version

Verify Fix Applied:

Verify plugin version is 2.2.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file download requests from admin users
  • HTTP requests with directory traversal patterns (../) to plugin endpoints

Network Indicators:

  • HTTP requests containing directory traversal sequences to /wp-content/plugins/ekc-tournament-manager/ endpoints

SIEM Query:

source="web_server" AND uri="*ekc-tournament-manager*" AND (uri="*../*" OR uri="*..%2f*")

📊 Metadata

CVE ID: CVE-2024-9765
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score: 0.08% exploit probability (24.3th percentile)
Published: May 15, 2025
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON