CVE-2024-8319

Name of the Vulnerable Software and Affected Versions: The Tourfic plugin for WordPress versions up to, and including, 2.11.20

Description: The issue is due to missing or incorrect nonce validation on several functions, including tf order status email resend function, tf visitor details edit function, tf checkinout details edit function, tf order status edit function, tf order bulk action edit function, tf remove room order ids, and tf delete old review fields. This allows unauthenticated attackers to perform various actions, such as resending order status emails, updating visitor/order details, editing check-in/out details, editing order status, performing bulk order status updates, removing room order IDs, and deleting old review fields, via a forged request if they can trick a site administrator into performing an action.

Recommendations: For versions up to, and including, 2.11.20, update to a version that includes the fix for the nonce validation issue. As a temporary workaround, consider restricting access to the vulnerable functions until a patch is available. Avoid using the affected functions in the Tourfic plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.