CVE-2026-12937

HIGH 7.5

Tourfic <= 2.22.7 - Unauthenticated SQL Injection via 'post_id' Parameter

CVSS Score

7.5

EPSS Score

0.3%

EPSS Percentile

22th

The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.

CWE	CWE-89
Vendor	themefic
Product	tourfic – ai powered travel booking, hotel booking & car rental wordpress plugin
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for themefic tourfic – ai powered travel booking, hotel booking & car rental wordpress plugin

Be the first to know when new high vulnerabilities affecting themefic tourfic – ai powered travel booking, hotel booking & car rental wordpress plugin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

themefic / Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin

0 ≤ 2.22.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

PRISM