Skip to main content

Tourfic CVE-2026-57395

| EUVDEUVD-2026-43468 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L confirmed as any registered WordPress subscriber suffices; C:H reflects unauthorized read of sensitive booking data; I:N and A:N because the flaw enables disclosure only, not modification or disruption.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:26 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5.

AnalysisAI

Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain low-privilege WordPress account
Delivery
Enumerate Tourfic AJAX or REST API endpoints
Exploit
Identify endpoint missing authorization check
Execution
Send authenticated HTTP request with crafted parameters
Impact
Read sensitive booking or customer data without proper role authorization

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid WordPress account with at minimum the subscriber or customer role, satisfying the CVSS PR:L prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N reflects a moderately severe, easily exploitable confidentiality breach requiring only a low-privilege authenticated account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free customer account on a tour booking WordPress site running Tourfic, then probes the plugin's AJAX or REST endpoints to identify one lacking a capability check. The attacker sends an authenticated HTTP request to that endpoint, obtaining sensitive booking records or customer personal data belonging to other users. …
Remediation Update the Tourfic plugin to a version beyond 2.22.5 as soon as Themefic releases a patched build; monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tourfic/vulnerability/wordpress-tourfic-plugin-2-22-5-broken-access-control-vulnerability-2 for the confirmed fix version, which has not been independently verified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy