WP-Safety

Tourfic Toolkit Security & Risk Analysis

wordpress.org/plugins/travelfic-toolkit

A companion plugin to the Travelfic and Ultimate Hotel Booking with which you can easily build your own Hotel, Accommodation, Tour & Travel Bookin …

1K active installs v1.4.0 PHP 7.4+ WP 5.4+ Updated Mar 12, 2026
hotel-reservationtour-operatortour-packagestraveltravel-itinerary
98
A · Safe
CVEs total2
Unpatched0
Last CVENov 26, 2025
Plugin page Download
Safety Verdict

Is Tourfic Toolkit Safe to Use in 2026?

Generally Safe

Score 98/100

Tourfic Toolkit has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 26, 2025Updated 22d ago
Risk Assessment

The travelfic-toolkit plugin v1.4.0 exhibits a mixed security posture. While it demonstrates good practices like 100% use of prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns remain. The presence of 17 AJAX handlers, with 4 lacking authentication checks, presents a substantial attack surface that could be exploited by unauthenticated users. The static analysis also identified 7 instances of dangerous function usage, specifically `unserialize`, which can lead to remote code execution vulnerabilities if user-supplied data is not rigorously sanitized before being passed to this function. The vulnerability history, while currently showing no unpatched CVEs, reveals past issues including Missing Authorization and Cross-site Scripting (XSS). The fact that 2 medium severity vulnerabilities have occurred in the past, and the last one being relatively recent, suggests a pattern of potential oversight in secure coding practices that requires ongoing vigilance. Overall, the plugin has strengths in data handling for queries and output, but the unprotected entry points and the risky `unserialize` function, coupled with historical vulnerability patterns, indicate a moderate to high risk profile.

Key Concerns

  • Unprotected AJAX handlers (4 out of 17)
  • Dangerous function usage: unserialize (7 instances)
  • Past medium severity vulnerabilities (2)
Vulnerabilities
2

Tourfic Toolkit Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-24940medium · 4.3Missing Authorization

Travelfic Toolkit <= 1.3.3 - Missing Authorization

Nov 26, 2025 Patched in 1.3.4 (77d)
CVE-2025-39585medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Travelfic Toolkit <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 1.2.3 (7d)
Code Analysis
Analyzed Mar 16, 2026

Tourfic Toolkit Code Analysis

Dangerous Functions
7
Raw SQL Queries
0
0 prepared
Unescaped Output
75
1151 escaped
Nonce Checks
13
Capability Checks
6
File Operations
6
External Requests
7
Bundled Libraries
1

Dangerous Functions Found

unserialize$menu_items = unserialize($serialized_menu);inc\class\class-importer.php:650
unserialize$room = unserialize( $tf_hotel_exc_value );inc\class\class-importer.php:1770
unserialize$room = unserialize( $tf_hotel_exc_value );inc\class\class-importer.php:1813
unserialize$room = unserialize( $tf_hotel_exc_value );inc\class\class-importer.php:1843
unserialize$post_meta['tf_tours_opt']['disabled_day'] = unserialize( $row[$column_index] );inc\class\class-importer.php:2422
unserialize$itinerary = unserialize( $tf_hotel_exc_value );inc\class\class-importer.php:2457
unserialize$rooms = unserialize( $tf_hotel_rooms_value );inc\class\class-importer.php:3141

Bundled Libraries

Select2

Output Escaping

94% escaped1226 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
prepare_travelfic_global_settings (inc\class\class-importer.php:42)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Tourfic Toolkit Attack Surface

Entry Points18
Unprotected4

AJAX Handlers 17

authwp_ajax_travelfic-global-settings-importinc\class\class-importer.php:28
authwp_ajax_travelfic-customizer-settings-importinc\class\class-importer.php:29
authwp_ajax_travelfic-demo-hotel-importinc\class\class-importer.php:30
authwp_ajax_travelfic-demo-tour-importinc\class\class-importer.php:31
authwp_ajax_travelfic-demo-car-importinc\class\class-importer.php:32
authwp_ajax_travelfic-demo-pages-importinc\class\class-importer.php:33
authwp_ajax_travelfic-demo-widget-importinc\class\class-importer.php:34
authwp_ajax_travelfic-demo-menu-importinc\class\class-importer.php:35
authwp_ajax_travelfic-template-list-syncinc\class\class-template-sync.php:17
authwp_ajax_woocommerce_ajax_install_plugininc\functions.php:37
authwp_ajax_woocommerce_ajax_active_plugininc\functions.php:38
authwp_ajax_contact-form-7_ajax_install_plugininc\functions.php:41
authwp_ajax_contact-form-7_ajax_active_plugininc\functions.php:42
authwp_ajax_tourfic_ajax_install_plugininc\functions.php:45
authwp_ajax_tourfic_ajax_active_plugininc\functions.php:46
authwp_ajax_elementor_ajax_install_plugininc\functions.php:50
authwp_ajax_elementor_ajax_active_plugininc\functions.php:51

Shortcodes 1

[year] inc\functions.php:368
WordPress Hooks 33
actionwp_headinc\class\class-importer.php:36
actionadmin_menuinc\class\class-template-list.php:27
filterwoocommerce_enable_setup_wizardinc\class\class-template-list.php:28
actionadmin_initinc\class\class-template-list.php:29
actionin_admin_headerinc\class\class-template-list.php:31
actioninitinc\class\class-template-sync.php:20
filtertravelfic_headerinc\customizer\customizer-apply.php:6
filterultimate_hotel_booking_headerinc\customizer\customizer-apply.php:7
filtertravelfic_footerinc\customizer\customizer-apply.php:26
filterultimate_hotel_booking_footerinc\customizer\customizer-apply.php:27
filtertravelfic_page_tftcontainerinc\customizer\customizer-apply.php:48
filterhotelic_page_tftcontainerinc\customizer\customizer-apply.php:49
actionwp_footerinc\customizer\customizer-apply.php:64
actionwp_headinc\customizer\customizer-apply.php:570
actioninitinc\customizer\customizer-migrator.php:4
actioninitinc\customizer\customizer-settings.php:19
actioninitinc\elementor-widgets.php:46
actionplugins_loadedinc\elementor-widgets.php:47
actionelementor/elements/categories_registeredinc\elementor-widgets.php:83
actionelementor/widgets/widgets_registeredinc\elementor-widgets.php:86
filterbody_classinc\functions.php:165
actionwp_headinc\functions.php:275
filterbody_classinc\functions.php:357
actionwp_headinc\functions.php:376
actionadmin_noticestravelfic-toolkit.php:48
actionadmin_noticestravelfic-toolkit.php:51
actionadmin_inittravelfic-toolkit.php:54
filtertheme_file_pathtravelfic-toolkit.php:67
actioninittravelfic-toolkit.php:73
actioncustomize_controls_enqueue_scriptstravelfic-toolkit.php:147
actioncustomize_preview_inittravelfic-toolkit.php:153
actionwp_enqueue_scriptstravelfic-toolkit.php:159
actionadmin_enqueue_scriptstravelfic-toolkit.php:169
Maintenance & Trust

Tourfic Toolkit Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads24K

Community Trust

Rating0/100
Number of ratings0
Active installs1K
Alternatives

Tourfic Toolkit Alternatives

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

B
76

WP Travel Engine is the most popular tour and travel booking WordPress plugin. Used by over 20,000 travel agency websites.

20K 12 CVEs
WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor

WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor

wte-elementor-widgets

A
97

WP Travel Engine – Elementor Widgets provides 20+ Elementor widgets to create travel and tour booking websites using WP Travel Engine and Elementor.

10K 2 CVEs
Travel Agency Companion – Create Tour & Travel Website Using WP Travel Engine

Travel Agency Companion – Create Tour & Travel Website Using WP Travel Engine

travel-agency-companion

A
92

It is a companion plugin for the Travel Agency theme to create travel and tour booking websites. Use it with WP Travel Engine to make the most of it.

4K No CVEs
Travel Booking Toolkit

Travel Booking Toolkit

travel-booking-toolkit

A
100

The Travel Booking Toolkit plugin works with the WP Travel Engine. It adds special widgets to the Travel Booking theme, making creating travel website &hellip;

4K No CVEs
WP Travel – Ultimate Travel Booking System, Tour Management Engine

WP Travel – Ultimate Travel Booking System, Tour Management Engine

wp-travel

A
92

WP Travel is the optimal choice among the WordPress Travel Booking Plugin and Tour Operator to Create Travel and Trekking Websites Without Coding!

4K 7 CVEs
Developer Profile

Tourfic Toolkit Developer Profile

Themefic

11 plugins · 97K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
93 days
View full developer profile
Detection Fingerprints

How We Detect Tourfic Toolkit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/travelfic-toolkit/assets/admin/lib/select2/select2.min.css/wp-content/plugins/travelfic-toolkit/assets/admin/css/style.css/wp-content/plugins/travelfic-toolkit/assets/app/css/style.min.css
Script Paths
/wp-content/plugins/travelfic-toolkit/assets/admin/lib/select2/select2.min.js/wp-content/plugins/travelfic-toolkit/assets/admin/js/customizer.js/wp-content/plugins/travelfic-toolkit/assets/app/js/main.js
Version Parameters
travelfic-toolkit/assets/admin/lib/select2/select2.min.css?ver=travelfic-toolkit/assets/admin/css/style.css?ver=travelfic-toolkit/assets/admin/js/customizer.js?ver=travelfic-toolkit/assets/app/js/main.js?ver=travelfic-toolkit/assets/app/css/style.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
tf-notice-wrapper
HTML Comments
<!-- IMPORTANT: Include file from plugin if it is not available in theme --><!-- Loading Text Domain --><!-- Customizer Settings --><!-- Customizer Migrator -->+10 more
Data Attributes
data-tf-notice-id
JS Globals
travelfic_toolkit_active_pluginstravelfic_toolkit_facts
FAQ

Frequently Asked Questions about Tourfic Toolkit