Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.21.4.
AnalysisAI
Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.
Technical ContextAI
Themefic Tourfic is a WordPress plugin for tour and travel booking functionality. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to properly validate user permissions before granting access to protected resources. The plugin's authorization logic does not correctly enforce security levels, allowing unauthenticated users (PR:N in CVSS vector) to retrieve information that should be restricted. WordPress plugins implementing inadequate capability checks or missing nonce validation commonly exhibit this pattern, particularly when REST API endpoints or AJAX handlers lack proper permission verification.
RemediationAI
Update Themefic Tourfic to a version beyond 2.21.4 (exact patched version number not specified in available advisory data). WordPress administrators should navigate to their plugin management console, locate Tourfic, and apply the available update. If an update beyond 2.21.4 is not yet released despite vulnerability disclosure, temporarily disable the plugin until a patched version is confirmed available. Monitor the Patchstack vulnerability database and official Themefic channels for patch confirmation and deployment guidance.
Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privile
Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing au
The Tourfic - Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin f
The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20199
GHSA-v3c3-56rg-4qff