WP-Safety
CVE-2026-39543

Tourfic <= 2.21.4 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.21.5
Patched in
19d
Time to patch

Description

The Tourfic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.21.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.21.4
PublishedMarch 28, 2026
Last updatedApril 15, 2026
Affected plugintourfic

What Changed in the Fix

Changes introduced in v2.21.5

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.21.4
Browse source Download .zip
Patched v2.21.5
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to exploit **CVE-2026-39543**, a missing authorization vulnerability in the **Tourfic** plugin. ### 1. Vulnerability Summary The Tourfic plugin (<= 2.21.4) registers several AJAX handlers that perform sensitive actions—such as installing/activating affiliate pl…

Show full research plan

This research plan outlines the steps to exploit CVE-2026-39543, a missing authorization vulnerability in the Tourfic plugin.

1. Vulnerability Summary

The Tourfic plugin (<= 2.21.4) registers several AJAX handlers that perform sensitive actions—such as installing/activating affiliate plugins, duplicating post data, or changing booking statuses—without verifying the user's capabilities. Specifically, these functions are likely registered using both wp_ajax_ and wp_ajax_nopriv_ hooks but fail to implement current_user_can() checks. This allows unauthenticated attackers to trigger these actions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Actions Identifed from Source:
    • tf_affiliate_install: Installs a hardcoded affiliate plugin (typically "ReviewX").
    • tf_affiliate_active: Activates the affiliate plugin.
    • tf_duplicate_post_data: Duplicates Tourfic custom post types (Hotels, Tours).
    • tf_ticket_status_change: Changes booking check-in status.
  • Authentication: Unauthenticated (Privileges Required: None).
  • Preconditions: A valid WordPress nonce may be required if the wp_verify_nonce check is present but the capability check is missing.

3. Code Flow

  1. Entry Point: The attacker sends a POST request to admin-ajax.php.
  2. Hook Registration: The plugin registers handlers in a file like inc/functions.php (inferred) using:
    add_action( 'wp_ajax_nopriv_tf_affiliate_install', 'tf_affiliate_install_callback' );
  3. Vulnerable Function: The callback function (e.g., tf_affiliate_install_callback) executes.
  4. Missing Check: The function performs logic (like calling wp_ajax_install_plugin or modifying wp_options) without a current_user_can( 'manage_options' ) guard.
  5. Sink: The system state is modified (plugin installed/activated or data duplicated).

4. Nonce Acquisition Strategy

The AJAX handlers in assets/admin/js/tourfic-admin-scripts.min.js use a nonce localized in the tf_admin_params object. While this is an admin script, the same nonce (tf_nonce) is often localized for all users in the tf_params object on the frontend to support booking features.

Strategy:

  1. Setup: Create a Tourfic Hotel post to ensure Tourfic scripts and nonces are enqueued on the frontend.
  2. Navigation: Visit the newly created Hotel page.
  3. Extraction: Use browser_eval to extract the nonce from the global JavaScript variables.
    • Variable Name: window.tf_admin_params (Admin context) or window.tf_params (Frontend context).
    • Key: tf_nonce.
    • Command: browser_eval("window.tf_params?.tf_nonce || window.tf_admin_params?.tf_nonce")

5. Exploitation Strategy

We will target the `tf_

Research Findings
Static analysis — not yet PoC-verified

Summary

The Tourfic plugin for WordPress fails to implement capability checks in several AJAX handlers, including those for installing plugins and duplicating data. This allow unauthenticated attackers to perform administrative actions such as installing the ReviewX affiliate plugin or duplicating custom post types, provided they can obtain a valid security nonce.

Vulnerable Code

// Inferred from AJAX registration in Tourfic plugin
// File: inc/functions.php (approximate)

add_action( 'wp_ajax_nopriv_tf_affiliate_install', 'tf_affiliate_install' );
add_action( 'wp_ajax_tf_affiliate_install', 'tf_affiliate_install' );

function tf_affiliate_install() {
    // Missing current_user_can('manage_options') check
    $nonce = $_POST['nonce'];
    if ( ! wp_verify_nonce( $nonce, 'tf_nonce' ) ) {
        die();
    }
    // Logic to install affiliate plugin (ReviewX)
}

---

// File: inc/functions.php (approximate)

add_action( 'wp_ajax_nopriv_tf_duplicate_post_data', 'tf_duplicate_post_data' );
add_action( 'wp_ajax_tf_duplicate_post_data', 'tf_duplicate_post_data' );

function tf_duplicate_post_data() {
    // Missing current_user_can('edit_posts') check
    $security = $_POST['security'];
    if ( ! wp_verify_nonce( $security, 'tf_duplicate_post_nonce' ) ) {
         die();
    }
    // Logic to duplicate hotel/tour data
}

Security Fix

--- a/inc/functions.php
+++ b/inc/functions.php
@@ -105,6 +105,9 @@
 function tf_affiliate_install() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Permission denied', 'tourfic' ) ) );
+    }
     check_ajax_referer( 'tf_nonce', 'nonce' );
     // Logic to install plugin
 }
@@ -120,6 +123,9 @@
 function tf_duplicate_post_data() {
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Permission denied', 'tourfic' ) ) );
+    }
     check_ajax_referer( 'tf_duplicate_post_nonce', 'security' );
     // Logic to duplicate post
 }

Exploit Outline

1. Target Endpoint: The attacker targets the WordPress AJAX endpoint at `/wp-admin/admin-ajax.php`. 2. Nonce Acquisition: The attacker extracts a valid security nonce (e.g., `tf_nonce`) by visiting a frontend page where Tourfic enqueues scripts, as the plugin often localizes these nonces in the `tf_params` or `tf_admin_params` global JavaScript objects. 3. Action Selection: The attacker chooses a vulnerable AJAX action, such as `tf_affiliate_install` (to install an affiliate plugin), `tf_duplicate_post_data` (to duplicate content), or `tf_ticket_status_change` (to modify booking metadata). 4. Request Construction: The attacker sends a POST request to the AJAX endpoint with the selected `action`, the acquired `nonce`, and necessary parameters (like `postID` or `status`). 5. Execution: Because the plugin lacks a `current_user_can()` check in the callback function, the server executes the privileged action despite the attacker being unauthenticated.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6ffccb84-faee-4a47-ab49-dbbb4858a6a5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database