{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4594", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-12T15:40:39.500Z", "datePublished": "2025-05-23T03:39:40.713Z", "dateUpdated": "2026-04-08T17:34:48.225Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:48.225Z"}, "affected": [{"vendor": "tournamatch", "product": "Tournamatch", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc912831-bbdd-4f8f-a620-47e41b1b731d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tournamatch/tags/4.6.1/includes/shortcodes/class-shortcodes.php#L273"}, {"url": "https://plugins.trac.wordpress.org/changeset/3295681/tournamatch/trunk/includes/shortcodes/class-shortcodes.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "timeline": [{"time": "2025-05-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-23T12:37:55.075516Z", "id": "CVE-2025-4594", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T12:38:03.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4594", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-23T12:37:55.075516Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T12:37:59.206Z"}}], "cna": {"title": "Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "tournamatch", "product": "Tournamatch", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc912831-bbdd-4f8f-a620-47e41b1b731d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tournamatch/tags/4.6.1/includes/shortcodes/class-shortcodes.php#L273"}, {"url": "https://plugins.trac.wordpress.org/changeset/3295681/tournamatch/trunk/includes/shortcodes/class-shortcodes.php"}], "descriptions": [{"lang": "en", "value": "The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:48.225Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4594", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:48.225Z", "dateReserved": "2025-05-12T15:40:39.500Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-23T03:39:40.713Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tournamatch:tournamatch:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C36B5D80-AAA0-4834-B557-9669B440C4E8", "versionEndExcluding": "4.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Tournamatch para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode 'trn-ladder-registration-button' en todas las versiones hasta la 4.6.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. "}], "id": "CVE-2025-4594", "lastModified": "2025-07-11T19:49:23.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-23T04:15:33.487", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/tournamatch/tags/4.6.1/includes/shortcodes/class-shortcodes.php#L273"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3295681/tournamatch/trunk/includes/shortcodes/class-shortcodes.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc912831-bbdd-4f8f-a620-47e41b1b731d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:46:52.331730+00:00", "value": {"mitigation_remediation": ["Upgrade Tournamatch to version 4.6.2 or later, which applies proper input sanitization and output escaping for the affected shortcode.", "If an upgrade cannot be performed immediately, remove or disable the 'trn\u2011ladder\u2011registration\u2011button' shortcode from public pages and restrict contributor permissions to prevent privileged users from inserting malicious attributes.", "Implement site\u2011wide output escaping policies or use a web application firewall rule to block suspicious JavaScript injection patterns in user supplied input."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Tournamatch plugin for WordPress, in all releases up to and including version 4.6.1. Administrators using any of these versions should verify that they are running the plugin at that revision or earlier.", "description_and_impact": "The Tournamatch WordPress plugin contains a stored cross\u2011site scripting flaw in the 'trn-ladder-registration-button' shortcode. Insufficient sanitization and escaping of user supplied attributes allow an authenticated attacker with contributor\u2011level or higher permissions to inject arbitrary JavaScript. Once injected, the script executes every time a site visitor accesses the affected page, potentially leading to session hijacking, credential theft, defacement, or further spread of malware. The weakness is a classic input validation error (CWE\u201179).", "risk_and_exploitability": "The weakness carries a CVSS score of 6.4, indicating moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation at the current time, and the issue is not listed in the CISA KEV catalog. The attack vector requires authenticated access with contributor\u2011level privileges, meaning the attacker must already have a valid user account on the site. Once the payload is stored, every visitor to the page will run the malicious code, so the impact could be widespread across the website's user base. Given the low EPSS, exploitation is not yet prevalent, but the moderate CVSS warrants proactive remediation."}}}}, "created": "2026-04-20T23:00:14.116367+00:00", "updated": "2026-04-20T23:00:14.116378+00:00", "vendors": []}