The Tourfic – Ultimate Travel Booking, Hotel Booking & Car Rental WordPress plugin (including WooCommerce Booking integration) suffers from a missing authorization vulnerability identified as CVE-2024-8860 (CWE-862). This vulnerability affects all versions up to and including 2.14.5. The root cause is the absence of capability checks in several key plugin functions: tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields. These functions handle critical operations such as resending order status emails, editing visitor and order details, modifying check-in/out data, bulk updating order statuses, removing room order identifiers, and deleting review fields. Because the plugin fails to verify that the authenticated user has the appropriate permissions before executing these functions, any user with subscriber-level access or higher can perform unauthorized modifications. The vulnerability requires authentication but no additional user interaction, and it can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium), reflecting low complexity and no impact on confidentiality or availability, but a clear impact on data integrity. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability was assigned by Wordfence and publicly disclosed on August 26, 2025.

This vulnerability primarily impacts the integrity of data managed by the Tourfic plugin on WordPress sites. Attackers with subscriber-level access can manipulate booking and order information, potentially leading to fraudulent order modifications, misinformation sent to customers via order status emails, and disruption of booking records. This can undermine customer trust, cause operational disruptions, and complicate financial reconciliation for travel, hotel, and car rental businesses using the plugin. Although confidentiality and availability are not directly affected, the unauthorized data changes could facilitate further attacks or fraud schemes. Organizations relying on Tourfic for booking management face risks of internal misuse or exploitation by compromised low-privilege accounts. The lack of patches and the plugin’s widespread use in the travel and hospitality sectors increase the urgency for mitigation. The absence of known exploits suggests limited active exploitation currently, but the ease of exploitation and the broad scope of affected functions raise concerns for future attacks.

Until an official patch is released, organizations should implement strict access controls to limit subscriber-level accounts and regularly audit user roles and permissions within WordPress. Consider temporarily disabling or restricting the Tourfic plugin’s critical functions via custom code or security plugins that enforce capability checks. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable functions. Monitor logs for unusual activity related to order modifications or email resends. Educate administrators and users about the risk of low-privilege account compromise and enforce strong authentication mechanisms, including multi-factor authentication (MFA). Keep WordPress core and all plugins updated and subscribe to vendor advisories for timely patch releases. If feasible, isolate the booking system from other critical infrastructure to limit lateral movement in case of exploitation. Finally, prepare incident response plans to quickly address any detected exploitation attempts.