The Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress plugin suffers from missing authorization checks (CWE-862) in multiple functions including tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields. This flaw allows authenticated users with low privileges (subscriber-level and above) to perform unauthorized actions such as resending order emails and modifying various order and visitor details. The vulnerability affects all versions up to and including 2.14.5. The CVSS 3.1 base score is 4.3, indicating medium severity, with an attack vector of network, low attack complexity, and requiring low privileges without user interaction.

An attacker with subscriber-level access or higher can exploit this vulnerability to modify order-related data and resend emails without proper authorization. This can lead to unauthorized changes in booking and order information, potentially disrupting business operations or causing confusion among customers. There is no direct confidentiality or availability impact reported, but integrity of order data is compromised.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access carefully and monitor for suspicious activity related to order modifications. Avoid granting unnecessary privileges to low-level users. Follow up with the vendor for updates on patches or official fixes.