Description
Subscriber SQL Injection in Tourfic <= 2.22.5 versions.
Published: 2026-06-26
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tourfic plugin contains a classic SQL injection flaw that can input when processing subscriber actions. This vulnerability could allow an attacker to execute arbitrary SQL statements against, potentially exposing, modifying, or deleting sensitive data stored by the plugin. The primary security consequence is a breach of confidentiality and integrity, and in some configurations may enable further privilege escalation.

Affected Systems

The affected product is the Themefic Tourfic WordPress plugin, any installation using version 2.22.5 or earlier is vulnerable. No specific operating system or WordPress version restrictions are noted, so any WordPress site that has not yet upgraded beyond 2.22.5 is at risk.

Risk and Exploitability

The CVSS score of 8.5 classifies this vulnerability as High severity. While an EPSS score is not available and it is not listed in CISA's KEV catalog, the exploitation potential remains significant. The likely attack vector is through the subscriber functionality exposed by the plugin, which may not require administrative credentials. Attackers who can submit data to the plugin could inject malicious SQL and retrieve sensitive information from the database. Until a patch is applied, the vulnerability could be exploited by a remote adversary with web-access to the site.

Generated by OpenCVE AI on June 26, 2026 at 17:10 UTC.

Remediation

Vendor Solution

Update the WordPress Tourfic Plugin to the latest available version (at least 2.22.6).

OpenCVE Recommended Actions

  • Update the Tourfic plugin to version 2.22.6 or later. This patch removes the vulnerable code path and validates all input.
  • If immediate remediation is required and the upgrade cannot be performed right away, disable or delete the Tourfic plugin to remove the attack surface.
  • After applying the fix, perform a review of the database for any signs of injected queries or unauthorized data changes and tighten database permissions for the WordPress application.

Generated by OpenCVE AI on June 26, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in Tourfic <= 2.22.5 versions.
Title WordPress Tourfic plugin <= 2.22.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:43:12.723Z

Reserved: 2026-06-18T14:38:18.949Z

Link: CVE-2026-56064

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:55.250Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')