Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable unauthenticated endpoint with no user interaction required; impact limited to partial integrity and availability with no confidentiality exposure.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5.
AnalysisAI
Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Tourfic plugin (version 2.22.5 or earlier) must be installed and active on a WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L places this at low complexity with no authentication barrier, but the limited impact metrics (Confidentiality:None, Integrity:Low, Availability:Low) cap the damage ceiling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a WordPress site running Tourfic 2.22.5 or earlier - trivially discoverable via WordPress plugin fingerprinting. The attacker sends crafted HTTP requests directly to the unprotected Tourfic endpoint, bypassing the missing authorization check to perform unauthorized modifications to tour listings or booking records, or to cause limited availability disruption. … |
| Remediation | The primary remediation is to update the Tourfic plugin to a version above 2.22.5, as all releases through that version are confirmed affected. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privile
The Tourfic - Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin f
Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers
The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43465