Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking <= 2.15.3 - Authenticated (Subscriber+) SQL Injection

Wordfence Intelligence   >   Vulnerability Database   >   Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking <= 2.15.3 - Authenticated (Subscriber+) SQL Injection
6.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE CVE-2024-12032
CVSS 6.5 (Medium)
Publicly Published December 24, 2024
Last Updated December 25, 2024
Researcher Thái An

Description

The Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to SQL Injection via the 'enquiry_id' parameter of the 'tf_enquiry_reply_email_callback' function in all versions up to, and including, 2.15.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Learn more about SQL Injection vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin

Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin

Software Type Plugin
Software Slug tourfic (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.15.4, or a newer patched version
Affected Version
  • <= 2.15.3
Patched Version
  • 2.15.4

Recent vulnerabilities in Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin

Tourfic <= 2.21.4 - Missing Authorization
5.3
CVE-2026-39543
Mar 28, 2026
Researcher: Bao - BlueRock
Tourfic <= 2.15.3 - Authenticated (Admin+) Arbitrary File Upload
7.2
CVE-2025-24650
Jan 24, 2025
Researcher: I8BL
Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions
4.3
CVE-2024-8860
Sep 13, 2024
Researchers:
Tourfic <= 2.11.20 - Cross-Site Request Forgery in Multiple Functions
4.3
CVE-2024-8319
Aug 29, 2024
Researchers:
Tourfic <= 2.11.7 - Reflected Cross-Site Scripting
6.1
CVE-2024-29137
Mar 18, 2024
Researcher: LVT-tholv2k
Tourfic <= 2.11.17 - Authenticated (Subscriber+) PHP Object Injection
8.8
CVE-2024-29136
Mar 18, 2024
Researcher: LVT-tholv2k
Tourfic <= 2.11.15 - Authenticated (Subscriber+) Arbitrary File Upload
8.8
CVE-2024-29135
Mar 18, 2024
Researcher: LVT-tholv2k
Tourfic <= 2.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2024-29134
Mar 18, 2024
Researcher: LVT-tholv2k
# Title CVE ID CVSS Researchers Date
1 Tourfic <= 2.21.4 - Missing Authorization CVE-2026-39543 5.3 Bao - BlueRock March 28, 2026
2 Tourfic <= 2.15.3 - Authenticated (Admin+) Arbitrary File Upload CVE-2025-24650 7.2 I8BL January 24, 2025
3 Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions CVE-2024-8860 4.3 September 13, 2024
4 Tourfic <= 2.11.20 - Cross-Site Request Forgery in Multiple Functions CVE-2024-8319 4.3 August 29, 2024
5 Tourfic <= 2.11.7 - Reflected Cross-Site Scripting CVE-2024-29137 6.1 LVT-tholv2k March 18, 2024
6 Tourfic <= 2.11.17 - Authenticated (Subscriber+) PHP Object Injection CVE-2024-29136 8.8 LVT-tholv2k March 18, 2024
7 Tourfic <= 2.11.15 - Authenticated (Subscriber+) Arbitrary File Upload CVE-2024-29135 8.8 LVT-tholv2k March 18, 2024
8 Tourfic <= 2.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-29134 6.4 LVT-tholv2k March 18, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation