EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability
Description
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.2.2
Patches
Vulnerability mechanics
Root cause
"The plugin allows a logged-in administrator to download system files outside of the WordPress directory."
Attack vector
An attacker with administrator privileges can exploit this vulnerability by crafting a request to download arbitrary system files. The vulnerability allows for file downloads outside of the intended WordPress directory, potentially exposing sensitive system information. This is described as a FILE DOWNLOAD vulnerability [ref_id=1].
Affected code
The vulnerability exists in the EKC Tournament Manager WordPress plugin prior to version 2.2.2. The specific code paths responsible for file handling and download functionality are affected. The patch, identified by `c6efa33c91018b84d3da1c80f1e36262ec983d69`, addresses these issues [patch_id=1882712].
What the fix does
The patch addresses the arbitrary file download vulnerability by implementing stricter file path validation. This prevents the plugin from accessing and downloading files located outside the designated WordPress directory. The fix is available in version 2.2.2 of the EKC Tournament Manager plugin [patch_id=1882712].
Preconditions
- authThe attacker must be logged in as an administrator.
Reproduction
https://wpscan.com/vulnerability/c86157b0-43f3-4e82-9697-7dd9401b48d6/
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/c86157b0-43f3-4e82-9697-7dd9401b48d6/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.