CVE-2024-8319 is a Cross-Site Request Forgery vulnerability affecting the Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress plugin in all versions up to 2.11.20. The issue arises from missing or incorrect nonce validation on multiple functions (tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields). This allows unauthenticated attackers to perform sensitive actions by tricking authenticated administrators into clicking malicious links, leading to unauthorized modifications of order and visitor data.

An attacker can cause an authenticated administrator to unknowingly perform actions such as resending order status emails, editing visitor and order details, modifying check-in/out information, bulk updating order statuses, removing room order IDs, and deleting old review fields. While the vulnerability does not allow direct data confidentiality compromise or system availability impact, it can lead to unauthorized data modifications and potential disruption of booking management processes.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should exercise caution when clicking on links or performing actions in the WordPress admin interface related to the Tourfic plugin. Monitoring for plugin updates from themefic and applying them promptly once available is recommended.