WP-Safety

Tournamatch Security & Risk Analysis

wordpress.org/plugins/tournamatch

A ladder and tournament plugin for eSports, physical sports, board games, and other online gaming leagues.

100 active installs v4.7.0 PHP 5.6.20+ WP 4.7+ Updated Dec 9, 2025
bracketladderleaderboardstandingstournament
74
B · Generally Safe
CVEs total4
Unpatched1
Last CVEMay 22, 2025
Plugin page Download
Safety Verdict

Is Tournamatch Safe to Use in 2026?

Mostly Safe

Score 74/100

Tournamatch is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: May 22, 2025Updated 3mo ago
Risk Assessment

The Tournamatch plugin v4.7.0 exhibits a mixed security posture. While it demonstrates good practices in several areas, such as a high percentage of prepared SQL statements and properly escaped output, significant concerns remain. The presence of two AJAX handlers without authentication checks is a notable weakness, directly contributing to a less secure attack surface. The taint analysis revealing six high-severity flows with unsanitized paths is particularly worrying, as these represent potential avenues for attackers to inject malicious code or data. The plugin's vulnerability history, with four known CVEs and one still unpatched, further amplifies these concerns. The prevalence of Cross-Site Scripting (XSS) vulnerabilities in the past suggests a recurring issue with input sanitization or output encoding, which aligns with the high-severity taint flows identified.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flows
  • Currently unpatched CVE
  • Vulnerability history of XSS
Vulnerabilities
4

Tournamatch Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-4594medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 22, 2025 Patched in 4.6.2 (1d)
CVE-2025-32600medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tournamatch <= 4.6.2 - Reflected Cross-Site Scripting

Apr 9, 2025Unpatched
CVE-2024-5644medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Plugin Tournamatch < 4.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 22, 2024 Patched in 4.6.1 (6d)
CVE-2024-5627medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Plugin Tournamatch < 4.6.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Jun 22, 2024 Patched in 4.6.1 (6d)
Code Analysis
Analyzed Mar 16, 2026

Tournamatch Code Analysis

Dangerous Functions
0
Raw SQL Queries
23
1065 prepared
Unescaped Output
65
1171 escaped
Nonce Checks
40
Capability Checks
58
File Operations
3
External Requests
4
Bundled Libraries
1

Bundled Libraries

DataTables

SQL Query Safety

98% prepared1088 total queries

Output Escaping

95% escaped1236 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

25 flows6 with unsanitized paths
settings (admin\class-admin.php:448)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Tournamatch Attack Surface

Entry Points29
Unprotected2

AJAX Handlers 2

authwp_ajax_trn_get_noncetournamatch.php:4405
noprivwp_ajax_trn_get_noncetournamatch.php:4406

Shortcodes 27

[trn-accept-challenge-button] includes\shortcodes\class-challenge-shortcodes.php:32
[trn-decline-challenge-button] includes\shortcodes\class-challenge-shortcodes.php:33
[trn-delete-challenge-button] includes\shortcodes\class-challenge-shortcodes.php:34
[trn-team-requests-list] includes\shortcodes\class-shortcodes.php:34
[trn-team-invitations-list] includes\shortcodes\class-shortcodes.php:35
[trn-email-team-invitation-form] includes\shortcodes\class-shortcodes.php:36
[trn-ladder-registration-button] includes\shortcodes\class-shortcodes.php:37
[trn-tournament-registration-button] includes\shortcodes\class-shortcodes.php:38
[trn-invite-player-to-team] includes\shortcodes\class-shortcodes.php:39
[trn-my-team-invitations-list] includes\shortcodes\class-shortcodes.php:40
[trn-my-team-requests-list] includes\shortcodes\class-shortcodes.php:41
[trn-upcoming-tournaments] includes\shortcodes\class-shortcodes.php:42
[trn-dispute-match-button] includes\shortcodes\class-shortcodes.php:43
[trn-career-record] includes\shortcodes\class-shortcodes.php:44
[trn-brackets] includes\shortcodes\class-shortcodes.php:45
[trn-teams-list-table] includes\shortcodes\class-table-shortcodes.php:32
[trn-players-list-table] includes\shortcodes\class-table-shortcodes.php:33
[trn-challenges-list-table] includes\shortcodes\class-table-shortcodes.php:34
[trn-matches-list-table] includes\shortcodes\class-table-shortcodes.php:35
[trn-ladder-matches-list-table] includes\shortcodes\class-table-shortcodes.php:36
[trn-ladder-standings-list-table] includes\shortcodes\class-table-shortcodes.php:37
[trn-tournament-matches-list-table] includes\shortcodes\class-table-shortcodes.php:38
[trn-competitor-ladders-list-table] includes\shortcodes\class-table-shortcodes.php:39
[trn-competitor-tournaments-list-table] includes\shortcodes\class-table-shortcodes.php:40
[trn-player-teams-list-table] includes\shortcodes\class-table-shortcodes.php:41
[trn-competitor-match-list-table] includes\shortcodes\class-table-shortcodes.php:42
[trn-team-roster-table] includes\shortcodes\class-table-shortcodes.php:43
WordPress Hooks 59
actionadmin_menuadmin\class-admin.php:43
actionadmin_menuadmin\class-game.php:31
actionload-toplevel_page_trn-gamesadmin\class-game.php:33
actionadmin_menuadmin\class-ladder.php:31
actionload-toplevel_page_trn-laddersadmin\class-ladder.php:42
actionadmin_menuadmin\class-matche.php:31
actionload-ladders_page_trn-ladders-matchesadmin\class-matche.php:45
actionload-tournaments_page_trn-tournaments-matchesadmin\class-matche.php:46
actionadmin_menuadmin\class-tournament.php:31
actionload-toplevel_page_trn-tournamentsadmin\class-tournament.php:42
actioninitincludes\classes\class-tournamatch-online-users.php:38
actionadmin_initincludes\classes\class-tournamatch-online-users.php:39
filterpre_set_site_transient_update_pluginsincludes\extensions.php:79
filterplugins_apiincludes\extensions.php:142
actionrest_api_initincludes\rest\class-challenge-builder.php:35
actionrest_api_initincludes\rest\class-challenge.php:38
actionrest_api_initincludes\rest\class-game-image.php:32
actionrest_api_initincludes\rest\class-game.php:32
actionrest_api_initincludes\rest\class-ladder-competitor.php:37
actionrest_api_initincludes\rest\class-ladder.php:35
actionrest_api_initincludes\rest\class-match-dispute.php:34
actionrest_api_initincludes\rest\class-matche.php:36
actionrest_api_initincludes\rest\class-player.php:36
actionrest_api_initincludes\rest\class-team-invitation.php:39
actionrest_api_initincludes\rest\class-team-member.php:37
actionrest_api_initincludes\rest\class-team-rank.php:46
actionrest_api_initincludes\rest\class-team-request.php:38
actionrest_api_initincludes\rest\class-team.php:37
actionrest_api_initincludes\rest\class-tournament-competitor.php:34
actionrest_api_initincludes\rest\class-tournament-registration-list.php:35
actionrest_api_initincludes\rest\class-tournament-registration.php:52
actionrest_api_initincludes\rest\class-tournament.php:35
actionwidgets_initincludes\widgets\class-ladder-top-competitor.php:171
actionwidgets_initincludes\widgets\class-latest-matches.php:158
actionwidgets_initincludes\widgets\class-newest-members.php:110
actionwidgets_initincludes\widgets\class-newest-teams.php:110
actionwidgets_initincludes\widgets\class-online-statistics.php:182
actionwidgets_initincludes\widgets\class-upcoming-matches.php:159
actioninittournamatch.php:55
actioninittournamatch.php:290
actiondeleted_usertournamatch.php:1078
actionwp_enqueue_scriptstournamatch.php:1194
actionadmin_enqueue_scriptstournamatch.php:1210
actionadmin_inittournamatch.php:1767
filtertemplate_includetournamatch.php:2177
actioninittournamatch.php:2250
filterquery_varstournamatch.php:2273
actiontemplate_redirecttournamatch.php:2393
filtertrn_magic_linkstournamatch.php:2483
actiontrn_magic_link_confirm_match_resulttournamatch.php:2496
actiontrn_magic_link_accept_team_invitationtournamatch.php:2523
actionuser_registertournamatch.php:2879
actionadmin_noticestournamatch.php:2897
actionadmin_post_trn-replace-tournament-competitortournamatch.php:2920
actionplugins_loadedtournamatch.php:3671
actiontournamatch_after_headertournamatch.php:4146
actiontournamatch_before_footertournamatch.php:4153
actionwp_headtournamatch.php:4409
actionadmin_headtournamatch.php:4410
Maintenance & Trust

Tournamatch Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0
Last updatedDec 9, 2025
PHP min version5.6.20
Downloads9K

Community Trust

Rating84/100
Number of ratings6
Active installs100
Alternatives

Tournamatch Alternatives

Simple Tournament Brackets

Simple Tournament Brackets

simple-tournament-brackets

A
100

Display tournament brackets on any page using a shortcode. Supports manual seeding and any size tournaments up to 256 competitors.

300 No CVEs
MSTW Bracket Builder

MSTW Bracket Builder

mstw-bracket-builder

A
92

Builds and manages tournament brackets. Displays tournament brackets (knockout rounds), and tables of games (fixtures).

100 No CVEs
World Cup Predictor

World Cup Predictor

world-cup-predictor

B
79

Plugin to manage soccer predictions and present a fantasy football competition for the FIFA Club World Cup 2025™.

50 1 unpatched
BracketCloud

BracketCloud

bracketcloud

A
85

Implements a shortcode for embedding BracketCloud tournaments in post content.

10 No CVEs
MeinTurnierplan

MeinTurnierplan

meinturnierplan

A
100

Display tournament tables and match lists using custom post types, supporting Gutenberg blocks, widgets, and shortcodes.

10 No CVEs
Developer Profile

Tournamatch Developer Profile

Tournamatch

1 plugin · 100 total installs

82
trust score
Avg Security Score
74/100
Avg Patch Time
4 days
View full developer profile
Detection Fingerprints

How We Detect Tournamatch

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tournamatch/assets/css/frontend.css/wp-content/plugins/tournamatch/assets/css/backend.css/wp-content/plugins/tournamatch/assets/js/frontend.js/wp-content/plugins/tournamatch/assets/js/admin.js/wp-content/plugins/tournamatch/assets/js/vendor/jquery-ui.min.js/wp-content/plugins/tournamatch/assets/js/vendor/tinymce/tinymce.min.js
Script Paths
/wp-content/plugins/tournamatch/assets/js/frontend.js/wp-content/plugins/tournamatch/assets/js/admin.js/wp-content/plugins/tournamatch/assets/js/vendor/jquery-ui.min.js/wp-content/plugins/tournamatch/assets/js/vendor/tinymce/tinymce.min.js
Version Parameters
tournamatch/assets/css/frontend.css?ver=tournamatch/assets/css/backend.css?ver=tournamatch/assets/js/frontend.js?ver=tournamatch/assets/js/admin.js?ver=tournamatch/assets/js/vendor/jquery-ui.min.js?ver=tournamatch/assets/js/vendor/tinymce/tinymce.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
tournamatch-profiletournamatch-laddertournamatch-tournamenttournamatch-matchtournamatch-teamtournamatch-gametournamatch-widgettournamatch-admin-list-table+2 more
Data Attributes
data-trn-player-iddata-trn-match-iddata-trn-ladder-iddata-trn-tournament-iddata-trn-team-id
JS Globals
Tournamatchtrn_ajax_urltrn_vars
REST Endpoints
/wp-json/tournamatch/v1/challenges/wp-json/tournamatch/v1/games/wp-json/tournamatch/v1/ladders/wp-json/tournamatch/v1/matches/wp-json/tournamatch/v1/teams/wp-json/tournamatch/v1/tournaments/wp-json/tournamatch/v1/players
Shortcode Output
[tournamatch_profile][tournamatch_ladder][tournamatch_tournament][tournamatch_matches]
FAQ

Frequently Asked Questions about Tournamatch