CVE-2024-8860
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-08-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | tourfic | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Tourfic plugin for WordPress has a vulnerability where several functions lack proper capability checks. This means that authenticated users with subscriber-level access or higher can perform unauthorized actions such as resending order status emails, updating visitor or order details, editing check-in/out details, changing order statuses, performing bulk order status updates, removing room order IDs, and deleting old review fields. Essentially, users with limited permissions can modify data they should not be allowed to change.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access (subscriber or above) to modify sensitive order and visitor data without proper authorization. This can lead to unauthorized changes in booking details, order statuses, and visitor information, potentially causing data integrity issues, confusion in order processing, and misuse of the system's email notifications. It may also disrupt business operations relying on accurate booking and order data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring unauthorized AJAX requests related to the vulnerable functions (e.g., tf_order_status_email_resend_function, tf_visitor_details_edit_function, etc.) in the Tourfic plugin. Since the vulnerability allows authenticated users with subscriber-level access to perform unauthorized actions, you can check web server logs for suspicious POST requests to admin-ajax.php endpoints associated with Tourfic plugin actions. Commands to detect such activity could include: 1) Using grep to find AJAX calls in logs: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'tf_order_status_email_resend_function|tf_visitor_details_edit_function|tf_checkinout_details_edit_function|tf_order_status_edit_function|tf_order_bulk_action_edit_function|tf_remove_room_order_ids|tf_delete_old_review_fields'` 2) Monitoring WordPress user activity logs (if available) for unexpected changes in order status or visitor details. 3) Using network monitoring tools to detect unusual POST requests to the plugin's AJAX endpoints. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Tourfic WordPress plugin to a version later than 2.14.5 where the missing capability checks have been addressed. The update includes nonce verification for AJAX requests and improved backend validation, which help prevent unauthorized modifications. If updating immediately is not possible, restrict access to the WordPress admin area to trusted users only, and consider disabling or limiting AJAX endpoints related to the vulnerable functions. Implementing strong user role management to prevent subscriber-level users from performing sensitive actions can also help mitigate risk. [1]