CVE-2026-39543
Missing Authorization in Tourfic Plugin Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-10
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themefic | tourfic | to 2.21.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform privileged actions without proper authorization.
Although the CVSS score is 5.3, indicating a low severity impact, it can be exploited in mass campaigns targeting many websites indiscriminately.
Exploitation could lead to unauthorized changes or access within the affected WordPress site, potentially compromising site integrity or functionality.
Users are advised to update to version 2.21.5 or later to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WordPress Tourfic plugin to version 2.21.5 or later, where the issue has been patched.
Additionally, using mitigation services such as Patchstack's auto-updates for vulnerable plugins can help reduce the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the missing authorization vulnerability in the Tourfic plugin affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39543 is a broken access control vulnerability in the WordPress Tourfic plugin versions up to and including 2.21.4.
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions, which allows unauthenticated users to perform actions that normally require higher privileges.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a broken access control issue in the WordPress Tourfic plugin (versions up to 2.21.4) that allows unauthenticated users to perform privileged actions due to missing authorization checks.
To detect this vulnerability on your system, you can check the installed version of the Tourfic plugin to see if it is version 2.21.4 or earlier, which are vulnerable.
- Use WP-CLI to check the plugin version: wp plugin list --status=active
- Look for 'tourfic' in the output and verify its version.
Additionally, you can monitor HTTP requests to the WordPress site for suspicious unauthenticated attempts to access or perform actions related to the Tourfic plugin endpoints.
- Use tools like curl or wget to test if unauthorized access is possible, for example: curl -I https://yourwordpresssite.com/wp-content/plugins/tourfic/ (adjust path as needed)
Since the vulnerability involves missing authorization checks, attempts to access or perform privileged actions without authentication may indicate the presence of the vulnerability.
The best mitigation is to update the plugin to version 2.21.5 or later.