Skip to main content

Tourfic Ai Powered Travel Booking Hotel Booking Car Rental Wordpress Plugin

1 CVEs product

Monthly

CVE-2026-12937 HIGH This Week

Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

WordPress SQLi Tourfic Ai Powered Travel Booking Hotel Booking Car Rental Wordpress Plugin
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

WordPress SQLi Tourfic Ai Powered Travel Booking Hotel Booking Car Rental Wordpress Plugin
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy