eastbaycyber

CVE-2026-12937: SQL Injection in Tourfic Plugin

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-25
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-12937
CVSS score 7.5 High
Attack vector Unknown from available NVD output
Authentication required None
Patch status Yes, vulnerable through 2.22.7; exact first fixed version not conclusively verified from retrieved vendor sources

TL;DR - Unauthenticated SQL injection affects Tourfic for WordPress via post_id. - All versions up to and including 2.22.7 should be treated as vulnerable. - Patch quickly, hunt for suspicious admin-ajax.php requests, and assume public exploitation is possible even without confirmed in-the-wild abuse.

What Happened and Why It Matters

CVE-2026-12937 is a high-severity SQL injection flaw in the Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin. According to the NVD record, the bug exists in all versions up to and including 2.22.7 and is reachable through the post_id parameter. The issue is categorized as a generic SQL injection caused by insufficient escaping of user input and insufficient preparation of the affected SQL query.

What makes this issue operationally important is exposure, not just severity. The vulnerable code path is tied to the unauthenticated AJAX action wp_ajax_nopriv_tf_room_availability. The NVD description further states that the required nonce is present on a public single-hotel page template, meaning an attacker does not need credentials and can obtain what they need from a public-facing page. For internet-exposed WordPress sites running Tourfic, that changes this from a theoretical coding bug into a reachable attack surface.

AnalystImpact · assess the risk

Affected Products and Versions

The affected product is the Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin for WordPress, commonly identified by the plugin slug tourfic. Based on the available source material, administrators should treat every Tourfic version less than or equal to 2.22.7 as vulnerable.

The precise first patched version was not conclusively confirmed from the source set available for this article. The NVD wording only confirms that the vulnerability exists through 2.22.7, which implies a fix was introduced in a later release. Because the referenced WordPress Trac pages were not retrievable in this environment and no vendor advisory text was available to validate the exact release number, the safest defender guidance is to upgrade to the latest available Tourfic version newer than 2.22.7 and verify the installed version directly in WordPress or via WP-CLI.

Product Affected Versions Fixed Version
Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin All versions up to and including 2.22.7 Unknown from retrieved sources; upgrade to the latest version newer than 2.22.7

Technical Root Cause and Attack Path

The NVD description identifies the vulnerable input as the post_id parameter. The flaw stems from two familiar causes in WordPress plugin code: user input was not escaped adequately, and the SQL query handling the value was not sufficiently prepared. In practice, that means an attacker may be able to inject SQL fragments into an existing query and manipulate how the database responds.

The attack path matters as much as the bug class. The affected handler is registered via wp_ajax_nopriv_tf_room_availability, which is explicitly exposed to unauthenticated users. Normally defenders might expect a nonce to add friction, but the NVD record says the nonce is emitted on a public single-hotel page template. That means an attacker can browse the public site, collect the nonce, and then call the vulnerable AJAX endpoint without logging in. For site owners running travel booking or hotel booking workflows, the likely impact includes data disclosure from the WordPress database, potentially including user information, customer booking details, configuration data, or password hashes depending on the exact query context and database permissions.

Technical Notes

The NVD references point to code locations under the tourfic plugin, including:

  • inc/Classes/Helper.php
  • inc/Classes/Hotel/Hotel.php
  • AJAX action: tf_room_availability

While the referenced source files were not retrievable here, defenders can still use the published details to focus review and detection efforts around the vulnerable parameter and action name.

A representative attack request pattern would likely involve admin-ajax.php, the tf_room_availability action, and an abnormal post_id value:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

action=tf_room_availability&post_id=1' OR '1'='1&nonce=<publicly_obtained_nonce>

Because the exact payloads used in the wild are unknown, defenders should not overfit to a single string. Focus on abnormal characters or SQL keywords inside post_id and repeated requests to the same AJAX action from the same source.

Exploitation Status and Risk Assessment

At the time of writing, exploitation in the wild is not confirmed from the sources used for this article. Specifically, CVE-2026-12937 is not listed in CISA’s Known Exploited Vulnerabilities catalog, which means there is no CISA-backed confirmation of active exploitation as of 2026-06-25. That said, absence from KEV should not be interpreted as low risk, especially for an unauthenticated SQL injection on a public-facing WordPress plugin.

A public PoC was not confirmed from the retrieved materials either. The vulnerability is documented in NVD and referenced by Wordfence threat intelligence, but a standalone exploit repository or verified GitHub proof of concept was not established here. In the absence of a confirmed PoC, defenders should assume opportunistic weaponization is still plausible. Unauthenticated SQL injection bugs in WordPress plugins are historically high-value targets because they are easy to scan for, remotely reachable, and often deployed on internet-facing SMB sites with inconsistent patching.

Bottom Line

CVE-2026-12937 is a high-severity, unauthenticated SQL injection affecting Tourfic for WordPress through version 2.22.7. The vulnerable path is public-facing, the nonce is obtainable from a public page, and the likely impact is database data exposure. There is no confirmed in-the-wild exploitation from KEV and no verified public PoC from the materials reviewed, but defenders should still treat this as urgent because the attack path is simple and remotely reachable.

For practitioners, the priority order is clear: inventory Tourfic usage, patch to the latest version above 2.22.7, inspect admin-ajax.php activity for tf_room_availability, and escalate to incident response if suspicious requests are found.

For further reading on similar vulnerabilities, consider checking out our articles on what is DLP and how to prioritize critical vulnerabilities.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

How to Detect Exploitation Attempts

Detection should start with the WordPress AJAX surface. Specifically, review web server logs, WAF telemetry, and application monitoring for requests to /wp-admin/admin-ajax.php where the action parameter equals tf_room_availability. From there, pivot on suspicious post_id values, repeated failed requests, bursts from a single IP, and requests that include SQL metacharacters or common extraction patterns.

You should also correlate web requests with downstream database anomalies. If you have MySQL or MariaDB logging enabled, inspect for unusual query failures, syntax errors, or sudden spikes in read-heavy activity tied to the web application account. Because the exact query structure was not available, defenders should not rely on one database error signature. Instead, combine weak signals: public page fetches for hotel templates, nonce retrieval patterns, followed by repeated admin-ajax.php submissions with malformed post_id values.

Technical Notes

A simple Apache or Nginx log triage pattern is to search for the vulnerable action first:

grep -E "admin-ajax\.php" /var/log/nginx/access.log* | grep "tf_room_availability"

Then narrow on obviously malformed post_id values:

grep -E "admin-ajax\.php" /var/log/nginx/access.log* | \
grep "tf_room_availability" | \
grep -E "post_id=.*('|%27|--|%2D%2D|/\*|%2F%2A|union|select|sleep\(|benchmark\()"

A basic Splunk query defenders can adapt:

index=web_logs uri_path="*/wp-admin/admin-ajax.php"
| search uri_query="*action=tf_room_availability*" OR request_body="*action=tf_room_availability*"
| regex _raw="post_id=.*(%27|'|--|/\*|union|select|sleep\(|benchmark\()"
| stats count min(_time) as firstSeen max(_time) as lastSeen by src_ip, http_user_agent, host

A generic Suricata-style HTTP signature concept for tuning, not copy-paste production use:

alert http any any -> $HOME_NET any (
  msg:"Possible Tourfic tf_room_availability SQLi attempt";
  flow:to_server,established;
  http.uri; content:"/wp-admin/admin-ajax.php";
  http.client_body; content:"action=tf_room_availability";
  http.client_body; pcre:"/post_id=.*(?:'|%27|--|union|select|sleep\()/i";
  sid:100012937;
  rev:1;
)

If you do not have adequate logs, assume visibility is incomplete. In that case, prioritize patching and consider the possibility that attempts may have gone unnoticed.

Mitigation and Patching

The primary mitigation is straightforward: upgrade Tourfic to a version newer than 2.22.7, ideally the latest available release. Because the exact first fixed version was not verified from the retrieved vendor or WordPress sources, do not stop at a minimally newer build unless you have independently confirmed the changelog. Updating to the latest release reduces uncertainty and may also pull in unrelated security fixes.

If immediate patching is not possible, reduce exposure around the vulnerable AJAX path. That may include temporarily disabling the plugin, restricting access to hotel booking pages if business impact allows, or using a WAF rule to inspect admin-ajax.php requests containing action=tf_room_availability and suspicious post_id input. Temporary controls are compensating measures only. Because the nonce is publicly obtainable according to NVD, relying on nonce-based protections alone is not a mitigation.

Technical Notes

To verify the installed plugin version with WP-CLI:

wp plugin list | grep tourfic

To update the plugin with WP-CLI:

wp plugin update tourfic

To confirm the plugin is now above the vulnerable range:

wp plugin get tourfic --fields=name,status,version,update_version

If you need an emergency workaround before patching and can tolerate service impact, temporarily deactivate the plugin:

wp plugin deactivate tourfic

If you run a WAF or reverse proxy, a temporary blocking condition could target requests meeting all of these criteria:

  • Path contains /wp-admin/admin-ajax.php
  • Body contains action=tf_room_availability
  • post_id contains SQL metacharacters or SQL keywords

That workaround may reduce exploitation attempts, but it can also create false positives or break booking functionality. Test in staging where possible.

Incident Response Considerations

If you suspect exploitation, do not limit response to web logs. Treat this as a potential database disclosure event. Depending on site usage, impacted data could include WordPress users, password hashes, booking records, customer contact data, and site configuration details. Start by preserving logs, collecting the current plugin version, and identifying the earliest suspicious request to the vulnerable AJAX action.

You should also review whether the site stores sensitive personal or payment-adjacent data in WordPress tables or plugin-specific tables. Rotate database credentials if compromise is suspected, reset WordPress admin credentials where appropriate, and inspect for follow-on activity such as new admin users, modified plugin files, unknown cron jobs, or dropped web shells. Even though this CVE is described as data extraction-focused, SQL injection can serve as an entry point for broader post-exploitation depending on environment and permissions.

References

Source URL
NVD CVE record https://nvd.nist.gov/vuln/detail/CVE-2026-12937
WordPress plugin listing https://wordpress.org/plugins/tourfic
Vendor site https://tourfic.com
Wordfence threat intel reference https://www.wordfence.com/threat-intel/vulnerabilities/id/12c29a44-f9e4-439a-bc3f-18a3640f7924?source=cve

Last verified: 2026-06-25

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.