What the vulnerability does
01Description
The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively.
Explanation of Vulnerability in Simple Terms
02Summary
The Tourfic WordPress plugin through version 2.14.5 lacks proper authorization checks on certain administrative functions. A logged-in user with low privileges can modify data they should not have access to, such as booking details or plugin settings. The vulnerability requires an active user account but no special interaction from the victim.
What an attacker can do
03Attacker Capabilities
Modify booking records, hotel listings, or plugin settings without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can alter critical booking and hotel data, potentially disrupting reservations and damaging customer trust.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., customer or subscriber role) on the WordPress site.
Key dates
06Disclosure timeline
August 26, 2025
CVE published
April 8, 2026
Record updated