Tourfic Plugin Vulnerable to Cross-Site Request Forgery
CVE-2024-8319

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vendor: CVE Published:; 30 August 2024

Summary

The Tourfic plugin for WordPress has a vulnerability that exposes the system to Cross-Site Request Forgery (CSRF) attacks. This issue arises from an absence or faulty implementation of nonce validation across multiple functions, including those that manage order status, visitor details, and check-in/out operations. As a consequence, unauthenticated attackers may exploit this vulnerability to forge requests, thereby executing actions that should require authentication. This includes the ability to resend order status emails, alter visitor or order information, edit check-in and check-out data, change order statuses, perform bulk updates, and delete specific data fields. The flaw underscores the importance of proper nonce validation to ensure that actions are performed by legitimate users.

Affected Version(s)

Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking * <= 2.11.20

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3054266/tourfic

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2024
Vulnerability Reserved
Aug 29, 2024