Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Endpoint is network-reachable with a freely obtainable nonce, so PR:N/UI:N/AC:L; injection extracts data only, giving C:H with I:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Tourfic - AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.
Articles & Coverage 1
AnalysisAI
Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the public single-hotel page template be reachable so the attacker can harvest the valid nonce gating the tf_room_availability AJAX action, and that an affected plugin version (≤ 2.22.7) be active with the nopriv AJAX handler registered (default behavior). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5 HIGH) is internally consistent with the description: network-reachable, low-complexity, no privileges, no user interaction, and confidentiality-only impact since the injection extracts rather than modifies data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker loads a public single-hotel page to scrape the valid nonce, then sends a crafted POST to admin-ajax.php with action=tf_room_availability and a malicious 'post_id' value appending a UNION or stacked subquery, causing the response to return WordPress user records, password hashes, or other sensitive table data. No public exploit code is identified at time of analysis, but the low attack complexity (AC:L) makes weaponization straightforward. |
| Remediation | Update the Tourfic plugin to the first release after 2.22.7 that contains the fix; an upstream fix is available via the WordPress.org SVN changeset (3584747@tourfic), but the exact patched release version is not independently confirmed in the available data, so verify the fixed version against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/12c29a44-f9e4-439a-bc3f-18a3640f7924?source=cve) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Disable the Tourfic plugin immediately; deploy WAF rules to block requests to tf_room_availability AJAX action. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39189
GHSA-79gf-4fr3-w2q9