Skip to main content

Tourfic

5 CVEs product

Monthly

CVE-2026-57395 MEDIUM This Month

Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.

Authentication Bypass Tourfic
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57392 MEDIUM This Month

Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.

Authentication Bypass Tourfic
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-39543 MEDIUM This Month

Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.

Authentication Bypass Tourfic
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-12032 MEDIUM PATCH This Month

The Tourfic - Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to SQL Injection via the 'enquiry_id' parameter of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Tourfic
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-8319 MEDIUM PATCH This Month

The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.20. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Tourfic
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.

Authentication Bypass Tourfic
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.

Authentication Bypass Tourfic
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.

Authentication Bypass Tourfic
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The Tourfic - Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to SQL Injection via the 'enquiry_id' parameter of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Tourfic
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.20. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Tourfic
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy