Description
The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A generic SQL injection flaw exists in Tourfic, a WordPress travel booking plugin, through the post_id parameter used by the wp_ajax_nopriv_tf_room_availability AJAX handler. The lack of parameter escaping allows an unauthenticated attacker to append arbitrary SQL statements to the query, enabling extraction of database contents.

Affected Systems

The flaw affects the Tourfic plugin from Themefic, in all releases up to and including version 2.22.7. No later versions are mentioned as vulnerable within the current advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score is currently unavailable, while the vulnerability is not yet listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending crafted requests to the unauthenticated AJAX endpoint, using the publicly exposed nonce to authenticate the request, and then injecting arbitrary SQL to extract information from the database. This enables unauthorized disclosure of data stored in the WordPress database.

Generated by OpenCVE AI on June 25, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tourfic plugin to the latest version that contains the SQL injection fix.
  • If an update is not immediately feasible, temporarily block the wp_ajax_nopriv_tf_room_availability endpoint using a firewall or security plugin, preventing unauthenticated access to the vulnerable AJAX handler.
  • Limit the database user privileges granted to WordPress to the minimum required (e.g., read‑only where appropriate) to reduce the impact of a successful injection attempt.

Generated by OpenCVE AI on June 25, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.
Title Tourfic <= 2.22.7 - Unauthenticated SQL Injection via 'post_id' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-25T06:51:34.972Z

Reserved: 2026-06-22T19:08:15.050Z

Link: CVE-2026-12937

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T10:45:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')