Skip to main content

Tourfic CVE-2026-57392

| EUVDEUVD-2026-43465 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated endpoint with no user interaction required; impact limited to partial integrity and availability with no confidentiality exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:27 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5.

AnalysisAI

Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint target WordPress site for Tourfic plugin
Delivery
Identify unprotected plugin endpoint
Exploit
Send unauthenticated HTTP request
Execution
Bypass missing authorization check
Impact
Perform unauthorized data modification or disruption

Vulnerability AssessmentAI

Exploitation The Tourfic plugin (version 2.22.5 or earlier) must be installed and active on a WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L places this at low complexity with no authentication barrier, but the limited impact metrics (Confidentiality:None, Integrity:Low, Availability:Low) cap the damage ceiling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WordPress site running Tourfic 2.22.5 or earlier - trivially discoverable via WordPress plugin fingerprinting. The attacker sends crafted HTTP requests directly to the unprotected Tourfic endpoint, bypassing the missing authorization check to perform unauthorized modifications to tour listings or booking records, or to cause limited availability disruption. …
Remediation The primary remediation is to update the Tourfic plugin to a version above 2.22.5, as all releases through that version are confirmed affected. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy