Skip to main content

Tourfic Plugin CVE-2026-12937

| EUVDEUVD-2026-39189 HIGH
SQL Injection (CWE-89)
2026-06-25 Wordfence GHSA-79gf-4fr3-w2q9
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Endpoint is network-reachable with a freely obtainable nonce, so PR:N/UI:N/AC:L; injection extracts data only, giving C:H with I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 08:16 vuln.today
CVE Published
Jun 25, 2026 - 06:51 cve.org
HIGH 7.5

DescriptionCVE.org

The Tourfic - AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.

AnalysisAI

Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fetch public single-hotel page
Delivery
Scrape valid tf_room_availability nonce
Exploit
POST crafted post_id to admin-ajax.php
Execution
Inject UNION/stacked SQL query
Impact
Exfiltrate user hashes and sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the public single-hotel page template be reachable so the attacker can harvest the valid nonce gating the tf_room_availability AJAX action, and that an affected plugin version (≤ 2.22.7) be active with the nopriv AJAX handler registered (default behavior). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5 HIGH) is internally consistent with the description: network-reachable, low-complexity, no privileges, no user interaction, and confidentiality-only impact since the injection extracts rather than modifies data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker loads a public single-hotel page to scrape the valid nonce, then sends a crafted POST to admin-ajax.php with action=tf_room_availability and a malicious 'post_id' value appending a UNION or stacked subquery, causing the response to return WordPress user records, password hashes, or other sensitive table data. No public exploit code is identified at time of analysis, but the low attack complexity (AC:L) makes weaponization straightforward.
Remediation Update the Tourfic plugin to the first release after 2.22.7 that contains the fix; an upstream fix is available via the WordPress.org SVN changeset (3584747@tourfic), but the exact patched release version is not independently confirmed in the available data, so verify the fixed version against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/12c29a44-f9e4-439a-bc3f-18a3640f7924?source=cve) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Disable the Tourfic plugin immediately; deploy WAF rules to block requests to tf_room_availability AJAX action. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy