CVE-2024-8860

Name of the Vulnerable Software and Affected Versions: Tourfic plugin for WordPress versions up to and including 2.14.5

Description: The Tourfic plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check in the following functions: tf order status email resend function, tf visitor details edit function, tf checkinout details edit function, tf order status edit function, tf order bulk action edit function, tf remove room order ids, and tf delete old review fields. Authenticated attackers with subscriber-level access or higher can exploit this issue to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields.

Recommendations: Tourfic plugin for WordPress versions prior to 2.14.5: Update to version 2.14.5 or later.