CVE-2024-12032 is an SQL Injection vulnerability identified in the Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress plugin, including its WooCommerce Booking integration. The flaw exists in all versions up to and including 2.15.3 within the 'tf_enquiry_reply_email_callback' function, specifically via the 'enquiry_id' parameter. The root cause is insufficient escaping and lack of proper preparation of SQL queries that incorporate user-supplied input. Authenticated attackers with at least Subscriber-level privileges can exploit this vulnerability by injecting additional SQL commands into the existing query structure. This injection can be used to extract sensitive information from the backend database, such as user data, booking details, or other confidential records stored by the plugin. The vulnerability does not require user interaction beyond authentication and does not affect the integrity or availability of the system, focusing primarily on confidentiality breaches. Although no public exploits have been reported, the ease of exploitation combined with the widespread use of WordPress and this plugin makes it a significant concern. The CVSS v3.1 base score is 6.5, indicating a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The vulnerability is classified under CWE-89, which pertains to improper neutralization of special elements in SQL commands, a common and critical web application security issue.

The primary impact of CVE-2024-12032 is unauthorized disclosure of sensitive data stored in the WordPress database used by the Tourfic plugin. Attackers with Subscriber-level access can leverage this flaw to extract confidential information such as customer booking details, personal information, and potentially payment-related data if stored insecurely. This breach of confidentiality can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial losses. Although the vulnerability does not allow modification or deletion of data, the exposure of sensitive information alone can have severe consequences for organizations relying on this plugin. Given the plugin's focus on hotel and travel bookings, businesses in the hospitality and travel sectors are particularly vulnerable. The attack vector is remote and network-based, increasing the risk of exploitation in multi-tenant hosting environments or compromised user accounts. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge. Organizations worldwide using this plugin should consider the impact on customer trust and legal liabilities arising from data breaches.

To mitigate CVE-2024-12032, organizations should immediately update the Tourfic plugin to a patched version once released by the vendor. Until an official patch is available, administrators should restrict plugin access to trusted users only and consider temporarily disabling the plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'enquiry_id' parameter can provide interim protection. Review and tighten user role permissions to minimize the number of users with Subscriber-level or higher access. Conduct thorough audits of database access logs and plugin usage to detect any anomalous activity. Additionally, applying principle of least privilege on database accounts used by WordPress can limit the scope of data exposure. Developers should refactor the vulnerable function to use parameterized queries or prepared statements to ensure proper input sanitization. Regularly backing up databases and monitoring for unusual queries can help in early detection and recovery. Finally, educating users about the risks of privilege escalation and enforcing strong authentication mechanisms will reduce the attack surface.