CVE-2024-9765 is a medium-severity vulnerability identified in the EKC Tournament Manager WordPress plugin, specifically in versions prior to 2.2.2. This vulnerability allows a logged-in administrator to download system files located outside the WordPress directory. The underlying weakness is classified under CWE-552, which pertains to files or directories being accessible to external parties inappropriately. The vulnerability arises because the plugin does not properly restrict file download functionality to only safe or intended files within the WordPress environment, enabling an authenticated admin user to access arbitrary files on the server's filesystem. This can lead to exposure of sensitive system files, configuration files, or other data that should remain protected. The CVSS v3.1 base score is 6.5, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges of a logged-in user with administrative rights (PR:L), and does not require user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. No known exploits are reported in the wild yet, and no patches or updates are linked, but the vulnerability is publicly disclosed and should be addressed promptly. Since the EKC Tournament Manager is a WordPress plugin, the vulnerability affects websites using this plugin, which may be niche but could be significant for organizations managing tournament or event-related content via WordPress.

For European organizations, this vulnerability poses a risk of sensitive data exposure if they use the EKC Tournament Manager plugin on their WordPress sites. An attacker with admin credentials could download critical system files, potentially including password files, configuration files with database credentials, or other sensitive information stored on the server. This could lead to further compromise, such as lateral movement within the network or data breaches. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, could face compliance issues and reputational damage if such data is exposed. Additionally, the exposure of system files could aid attackers in crafting more targeted attacks against the affected infrastructure. Although exploitation requires admin-level access, which limits the attack surface, insider threats or compromised admin accounts could be leveraged. The lack of impact on integrity and availability means the vulnerability is less likely to cause direct service disruption but remains a significant confidentiality risk.

European organizations should immediately verify if their WordPress installations use the EKC Tournament Manager plugin and identify the version in use. If the plugin is present and running a version prior to 2.2.2, they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, organizations should consider temporarily disabling or removing the plugin to eliminate the risk. Additionally, organizations should enforce strict access controls to limit admin account usage and monitor for unusual admin activities. Implementing multi-factor authentication (MFA) for WordPress admin accounts can reduce the risk of credential compromise. Regularly auditing file access logs and WordPress plugin activity can help detect exploitation attempts. Web application firewalls (WAFs) can be configured to monitor and block suspicious file download requests. Finally, organizations should ensure that sensitive system files are not stored in web-accessible directories and that server file permissions follow the principle of least privilege.