CVE-2024-29135 is an Unrestricted Upload of File with Dangerous Type vulnerability affecting the Themefic Tourfic WordPress plugin, specifically versions up to and including 2.11.15. This vulnerability arises because the plugin fails to properly restrict the types of files that users can upload. As a result, an attacker can upload files containing malicious code, such as PHP scripts, which can then be executed on the server. This can lead to remote code execution, full site compromise, data theft, or the deployment of backdoors and malware. The vulnerability does not require authentication, meaning any unauthenticated user can exploit it if the upload functionality is exposed. The plugin is used primarily for managing tours and travel bookings on WordPress sites, making it a target for attackers seeking to compromise tourism-related websites or any site using this plugin. Although no public exploits have been reported yet, the nature of the vulnerability and the widespread use of WordPress plugins make it a high-risk issue. No CVSS score has been assigned, but the vulnerability is critical due to its potential impact and ease of exploitation. The vulnerability was published on March 19, 2024, and no official patches or updates are currently linked, so users must monitor vendor communications for fixes.

The impact of this vulnerability is potentially severe for organizations using the Tourfic plugin. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the affected web server. This can result in data breaches, defacement, malware distribution, and disruption of business operations. For tourism and travel-related businesses, this could mean loss of customer trust, financial damage, and regulatory penalties if sensitive customer data is exposed. Additionally, compromised sites can be used as launchpads for further attacks within an organization's network or to distribute malware to visitors. The vulnerability's ease of exploitation and lack of authentication requirements increase the likelihood of attacks, especially on publicly accessible websites. Organizations worldwide that rely on WordPress and the Tourfic plugin are at risk, particularly those that have not implemented strict file upload restrictions or monitoring.

To mitigate this vulnerability, organizations should immediately implement strict file upload controls, restricting allowed file types to safe formats such as images (e.g., .jpg, .png) and disallowing executable or script files like .php, .js, or .exe. Web application firewalls (WAFs) can be configured to block suspicious upload attempts and detect malicious payloads. Administrators should monitor upload directories for unauthorized files and remove any suspicious content promptly. It is critical to keep the Tourfic plugin updated; users should watch for official patches or updates from Themefic and apply them as soon as they are released. In the interim, disabling or restricting the upload functionality if not essential can reduce risk. Employing principle of least privilege on the web server and isolating upload directories can limit the damage if exploitation occurs. Regular security audits and file integrity monitoring can help detect exploitation attempts early. Finally, educating site administrators about this vulnerability and encouraging vigilance against suspicious activity is important.