Description
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3.
Published: 2025-01-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Tourfic plugin contains an unrestricted file upload that accepts dangerous file types. The flaw allows an attacker to upload a web shell, providing the ability to execute arbitrary code on the hosting server. This vulnerability is a classic CWE‑434, and any successful exploitation compromises confidentiality, integrity, and availability of the affected website.

Affected Systems

Vendor Themefic distributes the Tourfic plugin for WordPress. All versions up to and including 2.15.3 are affected. Hosts running these versions are at risk unless the plugin is updated to a newer release.

Risk and Exploitability

The CVSS score of 9.1 marks this as a high‑severity vulnerability. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, and the issue is not listed in CISA’s KEV catalog. Based on the description, it is likely the flaw is exploitable remotely via the public upload interface; an attacker requires an authenticated or unauthenticated web access with file upload permissions, which is commonly available on many WordPress sites. Successful exploitation would lead to immediate remote code execution.

Generated by OpenCVE AI on May 1, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tourfic plugin to the latest available version, ensuring the upload restriction fix is applied.
  • Restrict upload capabilities to trusted user roles and enforce strict file type validation within WordPress or via the plugin settings.
  • Configure the web server to prevent execution of files in the upload directory, for example by disabling PHP execution or using .htaccess rules.

Generated by OpenCVE AI on May 1, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3848 Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic allows Upload a Web Shell to a Web Server. This issue affects Tourfic: from n/a through 2.15.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic allows Upload a Web Shell to a Web Server. This issue affects Tourfic: from n/a through 2.15.3. Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3.
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Mon, 09 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic tourfic
CPEs cpe:2.3:a:themefic:tourfic:*:*:*:*:*:wordpress:*:*
Vendors & Products Themefic
Themefic tourfic

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic allows Upload a Web Shell to a Web Server. This issue affects Tourfic: from n/a through 2.15.3.
Title WordPress Tourfic plugin <= 2.15.3 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Themefic Tourfic
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.284Z

Reserved: 2025-01-23T14:51:41.777Z

Link: CVE-2025-24650

cve-icon Vulnrichment

Updated: 2025-01-24T18:45:51.204Z

cve-icon NVD

Status : Modified

Published: 2025-01-24T18:15:39.347

Modified: 2026-04-23T15:25:13.040

Link: CVE-2025-24650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:00:08Z

Weaknesses