CVE-2026-1806
Stored XSS in TourCMS WordPress Plugin Allows Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tourcms | tour_activity_operator_plugin | to 1.7.0 (inc) |
| tourcms | tour_operator_plugin | to 1.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to and including 1.7.0.
This vulnerability exists because of insufficient input sanitization and output escaping, which allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts.
These injected scripts execute whenever any user accesses the page containing the injected content.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access or above to inject malicious scripts into pages of the WordPress site using the TourCMS plugin.
When other users visit these pages, the malicious scripts will execute in their browsers, potentially leading to theft of session cookies, defacement, or other malicious actions.
The CVSS score of 6.4 indicates a medium severity impact, with the potential for confidentiality and integrity loss but no impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'target' parameter of the tourcms_doc_link shortcode in the Tour & Activity Operator Plugin for TourCMS plugin for WordPress, versions up to and including 1.7.0.
Detection would involve identifying if the vulnerable plugin version is installed and if the 'target' parameter in the shortcode is being used to inject malicious scripts.
Since the vulnerability requires Contributor-level or higher authenticated access to inject scripts, detection on the network level is limited. However, you can check for the presence of the vulnerable plugin version and scan WordPress content for suspicious shortcode usage.
- Check the installed plugin version via WordPress admin or by running: wp plugin list | grep tourcms
- Search WordPress posts and pages for usage of the 'tourcms_doc_link' shortcode with the 'target' parameter: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[tourcms_doc_link%target=%'"
- Look for suspicious script tags or encoded JavaScript within the 'target' parameter in post content.
- Monitor HTTP requests and responses for unexpected script injections in pages generated by the plugin.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this Stored Cross-Site Scripting vulnerability in the Tour & Activity Operator Plugin for TourCMS, you should immediately:
- Update the plugin to a version later than 1.7.0 if available, where the vulnerability is fixed.
- If an update is not available, restrict Contributor-level and higher user permissions to trusted users only to prevent malicious shortcode injection.
- Audit existing content for malicious scripts injected via the 'target' parameter and remove any suspicious entries.
- Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'target' parameter in the shortcode.
- Consider disabling or removing the plugin temporarily if the risk is high and no patch is available.