CVE-2025-4594 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Tournamatch WordPress plugin, specifically versions up to and including 4.6.1. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The issue is located in the 'trn-ladder-registration-button' shortcode, where user-supplied attributes are insufficiently sanitized and output escaping is inadequate. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network exploitability with low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The vulnerability does not currently have known exploits in the wild, and no patches have been linked yet. However, the risk remains significant for sites using this plugin, especially those with multiple contributors or public-facing content where injected scripts can affect a broad user base.

For European organizations using WordPress sites with the Tournamatch plugin, this vulnerability poses a risk to confidentiality and integrity of user data and site content. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within the context of the victim’s privileges. This can lead to data breaches, defacement, loss of user trust, and compliance issues under regulations such as GDPR if personal data is compromised. The scope change indicated by the CVSS score means that the vulnerability can affect components beyond the initially compromised user, amplifying the impact. Given the collaborative nature of many European organizations’ websites and the popularity of WordPress, exploitation could disrupt business operations, damage reputation, and incur remediation costs.

European organizations should immediately audit their WordPress installations to identify the presence of the Tournamatch plugin and confirm the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict contributor-level access strictly to trusted users and review user roles to minimize unnecessary privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'trn-ladder-registration-button' shortcode attributes. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly monitor site content and logs for unusual script injections or modifications. 5) Consider temporarily disabling or removing the Tournamatch plugin if feasible, especially on high-risk or public-facing sites. 6) Educate site administrators and contributors about the risks of XSS and safe content practices. Once a patch is available, prioritize prompt updating of the plugin to a secure version.