CVE-2025-6690 in WP Tournament Registration Plugin
Summary
by MITRE • 08/06/2025
The WP Tournament Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘field’ parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/06/2025
The WP Tournament Registration plugin presents a critical stored cross-site scripting vulnerability that affects versions through 1.3.0, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of the 'field' parameter, which allows malicious actors with Contributor-level privileges or higher to inject persistent malicious scripts into the application's data storage. The flaw represents a direct violation of secure coding principles and demonstrates a failure to properly validate and sanitize user-supplied input before it is processed and stored within the system's database.
The technical exploitation of this vulnerability occurs when authenticated users with Contributor access or higher manipulate the 'field' parameter through the plugin's administrative interfaces or submission forms. The insufficient sanitization allows malicious script code to be stored in the database alongside legitimate content, where it remains dormant until accessed by other users. When victim users navigate to pages containing the injected content, their browsers execute the malicious scripts in the context of their active session, potentially leading to session hijacking, credential theft, or further compromise of the affected WordPress environment. This stored XSS vulnerability operates at the application layer and can be leveraged to bypass traditional browser security mechanisms.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform sophisticated attacks such as cookie theft, session manipulation, and redirection to malicious sites. Contributors with access to the plugin's administrative functions can inject scripts that persist across multiple user sessions, creating a long-term threat vector within the WordPress installation. The vulnerability affects all users who access pages containing the malicious content, regardless of their privilege level, making it particularly dangerous in multi-user environments where administrators may inadvertently view compromised content. This represents a significant risk to user privacy and system integrity, as the attack can be executed without requiring additional authentication or elevated privileges beyond the initial contributor access level.
Organizations should implement immediate mitigations including updating to the latest plugin version where available, implementing proper input validation and output escaping mechanisms, and conducting thorough security audits of all installed plugins. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and follows ATT&CK technique T1566.001 for initial access through spearphishing attachments or links. Security teams should also consider implementing Content Security Policy headers, monitoring for suspicious user activity, and establishing regular plugin security assessments to prevent similar vulnerabilities from being introduced into the WordPress ecosystem.