Skip to main content

Tourfic EUVDEUVD-2026-39718

| CVE-2026-56064 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-89jf-r85v-p58j
8.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
6.5 MEDIUM

Remote subscriber-authenticated SQLi gives PR:L and AC:L with high confidentiality read; I assess scope unchanged and no integrity/availability impact, unlike the source's S:C/A:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:57 vuln.today

DescriptionCVE.org

Subscriber SQL Injection in Tourfic <= 2.22.5 versions.

AnalysisAI

SQL injection in the Tourfic WordPress plugin (versions 2.22.5 and earlier) lets authenticated subscriber-level users inject arbitrary SQL through a vulnerable parameter, exposing the WordPress database. Because only a low-privilege account is required and registration is often open on WordPress sites, an attacker can read sensitive data such as user records and credential hashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber account
Delivery
Send crafted request to vulnerable Tourfic endpoint
Exploit
Inject SQL via unsanitized parameter
Execution
Database executes attacker query
Impact
Exfiltrate user data and credential hashes

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at subscriber level or higher (CVSS PR:L), so it is not anonymous - the attacker must be able to register or already possess a low-privilege account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5 High) describes remote, low-complexity exploitation needing only low privileges and no user interaction, with high confidentiality impact and a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account (or uses an existing one) on a WordPress site running Tourfic 2.22.5 or earlier, then sends a crafted request to the vulnerable plugin endpoint with malicious SQL in a parameter. Because the network attack vector and low complexity require no user interaction, automated tooling such as sqlmap could enumerate and dump the database, exfiltrating user emails and password hashes. …
Remediation Upgrade Tourfic to the first release after 2.22.5 (the next maintenance version that addresses this issue per the Patchstack advisory); the input does not specify an exact fixed version, so confirm the patched version directly from the vendor before deploying - Patch available per vendor advisory at https://patchstack.com/database/wordpress/plugin/tourfic/vulnerability/wordpress-tourfic-plugin-2-22-5-sql-injection-vulnerability?_s_id=cve. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running Tourfic versions 2.22.5 or earlier; restrict open subscriber registration if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy