CVE-2026-39543
Received Received - Intake
Missing Authorization in Tourfic Plugin Allows Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-10

Assigner: Patchstack

Description
Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.21.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39543
EUVD
EUVD-2026-20199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themefic tourfic to 2.21.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress Tourfic plugin to version 2.21.5 or later, where the issue has been patched.

Additionally, using mitigation services such as Patchstack's auto-updates for vulnerable plugins can help reduce the risk.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform privileged actions without proper authorization.

Although the CVSS score is 5.3, indicating a low severity impact, it can be exploited in mass campaigns targeting many websites indiscriminately.

Exploitation could lead to unauthorized changes or access within the affected WordPress site, potentially compromising site integrity or functionality.

Users are advised to update to version 2.21.5 or later to mitigate this risk.

Executive Summary

CVE-2026-39543 is a broken access control vulnerability in the WordPress Tourfic plugin versions up to and including 2.21.4.

This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions, which allows unauthenticated users to perform actions that normally require higher privileges.

It is classified under the OWASP Top 10 category A1: Broken Access Control.

Compliance Impact

The provided information does not specify how the missing authorization vulnerability in the Tourfic plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability is a broken access control issue in the WordPress Tourfic plugin (versions up to 2.21.4) that allows unauthenticated users to perform privileged actions due to missing authorization checks.

To detect this vulnerability on your system, you can check the installed version of the Tourfic plugin to see if it is version 2.21.4 or earlier, which are vulnerable.

  • Use WP-CLI to check the plugin version: wp plugin list --status=active
  • Look for 'tourfic' in the output and verify its version.

Additionally, you can monitor HTTP requests to the WordPress site for suspicious unauthenticated attempts to access or perform actions related to the Tourfic plugin endpoints.

  • Use tools like curl or wget to test if unauthorized access is possible, for example: curl -I https://yourwordpresssite.com/wp-content/plugins/tourfic/ (adjust path as needed)

Since the vulnerability involves missing authorization checks, attempts to access or perform privileged actions without authentication may indicate the presence of the vulnerability.

The best mitigation is to update the plugin to version 2.21.5 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart