CVE-2024-8860 MEDIUM

CVE-2024-8860: Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions

Vendor Themefic
Product Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress Plugin
Weakness CWE-862 · Missing authorization
Published August 26, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively.

Explanation of Vulnerability in Simple Terms

02Summary

The Tourfic WordPress plugin through version 2.14.5 lacks proper authorization checks on certain administrative functions. A logged-in user with low privileges can modify data they should not have access to, such as booking details or plugin settings. The vulnerability requires an active user account but no special interaction from the victim.

What an attacker can do

03Attacker Capabilities

Modify booking records, hotel listings, or plugin settings without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter critical booking and hotel data, potentially disrupting reservations and damaging customer trust.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., customer or subscriber role) on the WordPress site.

Key dates

06Disclosure timeline

August 26, 2025 CVE published
April 8, 2026 Record updated