[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5NkqYfMO5Tna0ygZGX9KbLg_TRqLTyOYOu3FUw6murE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39543","tourfic-missing-authorization","Tourfic \u003C= 2.21.4 - Missing Authorization","The Tourfic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.21.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.","tourfic",null,"\u003C=2.21.4","2.21.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-28 00:00:00","2026-04-15 21:29:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6ffccb84-faee-4a47-ab49-dbbb4858a6a5?source=api-prod",19,[22,23,24,25,26,27,28,29],"assets\u002Fadmin\u002Fcss\u002Ftourfic-admin.css","assets\u002Fadmin\u002Fcss\u002Ftourfic-admin.css.map","assets\u002Fadmin\u002Fcss\u002Ftourfic-admin.min.css","assets\u002Fadmin\u002Fcss\u002Ftourfic-admin.min.css.map","assets\u002Fadmin\u002Fjs\u002Ftourfic-admin-scripts.min.js","assets\u002Fapp\u002Fcss\u002Ftourfic-carrentals.css","assets\u002Fapp\u002Fcss\u002Ftourfic-carrentals.min.css","assets\u002Fapp\u002Fcss\u002Ftourfic-style.css","researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-39543**, a missing authorization vulnerability in the **Tourfic** plugin.\n\n### 1. Vulnerability Summary\nThe Tourfic plugin (\u003C= 2.21.4) registers several AJAX handlers that perform sensitive actions—such as installing\u002Factivating affiliate plugins, duplicating post data, or changing booking statuses—without verifying the user's capabilities. Specifically, these functions are likely registered using both `wp_ajax_` and `wp_ajax_nopriv_` hooks but fail to implement `current_user_can()` checks. This allows unauthenticated attackers to trigger these actions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Actions Identifed from Source:** \n    *   `tf_affiliate_install`: Installs a hardcoded affiliate plugin (typically \"ReviewX\").\n    *   `tf_affiliate_active`: Activates the affiliate plugin.\n    *   `tf_duplicate_post_data`: Duplicates Tourfic custom post types (Hotels, Tours).\n    *   `tf_ticket_status_change`: Changes booking check-in status.\n*   **Authentication:** Unauthenticated (Privileges Required: None).\n*   **Preconditions:** A valid WordPress nonce may be required if the `wp_verify_nonce` check is present but the capability check is missing.\n\n### 3. Code Flow\n1.  **Entry Point:** The attacker sends a POST request to `admin-ajax.php`.\n2.  **Hook Registration:** The plugin registers handlers in a file like `inc\u002Ffunctions.php` (inferred) using:\n    `add_action( 'wp_ajax_nopriv_tf_affiliate_install', 'tf_affiliate_install_callback' );`\n3.  **Vulnerable Function:** The callback function (e.g., `tf_affiliate_install_callback`) executes.\n4.  **Missing Check:** The function performs logic (like calling `wp_ajax_install_plugin` or modifying `wp_options`) without a `current_user_can( 'manage_options' )` guard.\n5.  **Sink:** The system state is modified (plugin installed\u002Factivated or data duplicated).\n\n### 4. Nonce Acquisition Strategy\nThe AJAX handlers in `assets\u002Fadmin\u002Fjs\u002Ftourfic-admin-scripts.min.js` use a nonce localized in the `tf_admin_params` object. While this is an admin script, the same nonce (`tf_nonce`) is often localized for all users in the `tf_params` object on the frontend to support booking features.\n\n**Strategy:**\n1.  **Setup:** Create a Tourfic Hotel post to ensure Tourfic scripts and nonces are enqueued on the frontend.\n2.  **Navigation:** Visit the newly created Hotel page.\n3.  **Extraction:** Use `browser_eval` to extract the nonce from the global JavaScript variables.\n    *   **Variable Name:** `window.tf_admin_params` (Admin context) or `window.tf_params` (Frontend context).\n    *   **Key:** `tf_nonce`.\n    *   **Command:** `browser_eval(\"window.tf_params?.tf_nonce || window.tf_admin_params?.tf_nonce\")`\n\n### 5. Exploitation Strategy\nWe will target the `tf_","The Tourfic plugin for WordPress fails to implement capability checks in several AJAX handlers, including those for installing plugins and duplicating data. This allow unauthenticated attackers to perform administrative actions such as installing the ReviewX affiliate plugin or duplicating custom post types, provided they can obtain a valid security nonce.","\u002F\u002F Inferred from AJAX registration in Tourfic plugin\n\u002F\u002F File: inc\u002Ffunctions.php (approximate)\n\nadd_action( 'wp_ajax_nopriv_tf_affiliate_install', 'tf_affiliate_install' );\nadd_action( 'wp_ajax_tf_affiliate_install', 'tf_affiliate_install' );\n\nfunction tf_affiliate_install() {\n    \u002F\u002F Missing current_user_can('manage_options') check\n    $nonce = $_POST['nonce'];\n    if ( ! wp_verify_nonce( $nonce, 'tf_nonce' ) ) {\n        die();\n    }\n    \u002F\u002F Logic to install affiliate plugin (ReviewX)\n}\n\n---\n\n\u002F\u002F File: inc\u002Ffunctions.php (approximate)\n\nadd_action( 'wp_ajax_nopriv_tf_duplicate_post_data', 'tf_duplicate_post_data' );\nadd_action( 'wp_ajax_tf_duplicate_post_data', 'tf_duplicate_post_data' );\n\nfunction tf_duplicate_post_data() {\n    \u002F\u002F Missing current_user_can('edit_posts') check\n    $security = $_POST['security'];\n    if ( ! wp_verify_nonce( $security, 'tf_duplicate_post_nonce' ) ) {\n         die();\n    }\n    \u002F\u002F Logic to duplicate hotel\u002Ftour data\n}","--- a\u002Finc\u002Ffunctions.php\n+++ b\u002Finc\u002Ffunctions.php\n@@ -105,6 +105,9 @@\n function tf_affiliate_install() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => __( 'Permission denied', 'tourfic' ) ) );\n+    }\n     check_ajax_referer( 'tf_nonce', 'nonce' );\n     \u002F\u002F Logic to install plugin\n }\n@@ -120,6 +123,9 @@\n function tf_duplicate_post_data() {\n+    if ( ! current_user_can( 'edit_posts' ) ) {\n+        wp_send_json_error( array( 'message' => __( 'Permission denied', 'tourfic' ) ) );\n+    }\n     check_ajax_referer( 'tf_duplicate_post_nonce', 'security' );\n     \u002F\u002F Logic to duplicate post\n }","1. Target Endpoint: The attacker targets the WordPress AJAX endpoint at `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. Nonce Acquisition: The attacker extracts a valid security nonce (e.g., `tf_nonce`) by visiting a frontend page where Tourfic enqueues scripts, as the plugin often localizes these nonces in the `tf_params` or `tf_admin_params` global JavaScript objects.\n3. Action Selection: The attacker chooses a vulnerable AJAX action, such as `tf_affiliate_install` (to install an affiliate plugin), `tf_duplicate_post_data` (to duplicate content), or `tf_ticket_status_change` (to modify booking metadata).\n4. Request Construction: The attacker sends a POST request to the AJAX endpoint with the selected `action`, the acquired `nonce`, and necessary parameters (like `postID` or `status`).\n5. Execution: Because the plugin lacks a `current_user_can()` check in the callback function, the server executes the privileged action despite the attacker being unauthenticated.","gemini-3-flash-preview","2026-04-17 22:29:01","2026-04-17 22:29:55",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.21.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftourfic\u002Ftags\u002F2.21.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftourfic.2.21.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftourfic\u002Ftags\u002F2.21.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftourfic.2.21.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftourfic\u002Ftags"]