PT-2025-34747 · WordPress · Tourfic
Published
2025-08-26
·
Updated
2025-08-26
·
CVE-2024-8860
4.3
Medium
| Base vector | Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Tourfic plugin for WordPress versions up to and including 2.14.5
Description:
The Tourfic plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check in the following functions: `tf order status email resend function`, `tf visitor details edit function`, `tf checkinout details edit function`, `tf order status edit function`, `tf order bulk action edit function`, `tf remove room order ids`, and `tf delete old review fields`. Authenticated attackers with subscriber-level access or higher can exploit this issue to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields.
Recommendations:
Tourfic plugin for WordPress versions prior to 2.14.5: Update to version 2.14.5 or later.
Fix
LPE
Missing Authorization
Weakness Enumeration
Related Identifiers
Affected Products
References · 7
- https://nvd.nist.gov/vuln/detail/CVE-2024-8860 · Security Note
- https://twitter.com/VulmonFeeds/status/1960284173517652177 · Twitter Post
- https://wordfence.com/threat-intel/vulnerabilities/id/c12c7f08-5132-4209-ae4e-fb67bf885e57?source=cve · Note
- https://t.me/cveNotify/133419 · Telegram Post
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3143760%40tourfic&new=3143760%40tourfic&sfp_email=&sfph_mail= · Note
- https://twitter.com/CVEnew/status/1960275285275726207 · Twitter Post
- https://t.me/CVEtracker/30905 · Telegram Post