Skip to main content

Tourfic EUVDEUVD-2026-20199

| CVE-2026-39543 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-v3c3-56rg-4qff
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20199
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.21.4.

AnalysisAI

Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.

Technical ContextAI

Themefic Tourfic is a WordPress plugin for tour and travel booking functionality. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to properly validate user permissions before granting access to protected resources. The plugin's authorization logic does not correctly enforce security levels, allowing unauthenticated users (PR:N in CVSS vector) to retrieve information that should be restricted. WordPress plugins implementing inadequate capability checks or missing nonce validation commonly exhibit this pattern, particularly when REST API endpoints or AJAX handlers lack proper permission verification.

RemediationAI

Update Themefic Tourfic to a version beyond 2.21.4 (exact patched version number not specified in available advisory data). WordPress administrators should navigate to their plugin management console, locate Tourfic, and apply the available update. If an update beyond 2.21.4 is not yet released despite vulnerability disclosure, temporarily disable the plugin until a patched version is confirmed available. Monitor the Patchstack vulnerability database and official Themefic channels for patch confirmation and deployment guidance.

Share

EUVD-2026-20199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy