CVE-2026-12937: SQL Injection in Tourfic Plugin
| Field | Value |
|---|---|
| CVE ID | CVE-2026-12937 |
| CVSS score | 7.5 High |
| Attack vector | Unknown from available NVD output |
| Authentication required | None |
| Patch status | Yes, vulnerable through 2.22.7; exact first fixed version not conclusively verified from retrieved vendor sources |
TL;DR - Unauthenticated SQL injection affects Tourfic for WordPress via
post_id. - All versions up to and including2.22.7should be treated as vulnerable. - Patch quickly, hunt for suspiciousadmin-ajax.phprequests, and assume public exploitation is possible even without confirmed in-the-wild abuse.
What Happened and Why It Matters
CVE-2026-12937 is a high-severity SQL injection flaw in the Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin. According to the NVD record, the bug exists in all versions up to and including 2.22.7 and is reachable through the post_id parameter. The issue is categorized as a generic SQL injection caused by insufficient escaping of user input and insufficient preparation of the affected SQL query.
What makes this issue operationally important is exposure, not just severity. The vulnerable code path is tied to the unauthenticated AJAX action wp_ajax_nopriv_tf_room_availability. The NVD description further states that the required nonce is present on a public single-hotel page template, meaning an attacker does not need credentials and can obtain what they need from a public-facing page. For internet-exposed WordPress sites running Tourfic, that changes this from a theoretical coding bug into a reachable attack surface.
Affected Products and Versions
The affected product is the Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin for WordPress, commonly identified by the plugin slug tourfic. Based on the available source material, administrators should treat every Tourfic version less than or equal to 2.22.7 as vulnerable.
The precise first patched version was not conclusively confirmed from the source set available for this article. The NVD wording only confirms that the vulnerability exists through 2.22.7, which implies a fix was introduced in a later release. Because the referenced WordPress Trac pages were not retrievable in this environment and no vendor advisory text was available to validate the exact release number, the safest defender guidance is to upgrade to the latest available Tourfic version newer than 2.22.7 and verify the installed version directly in WordPress or via WP-CLI.
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin | All versions up to and including 2.22.7 |
Unknown from retrieved sources; upgrade to the latest version newer than 2.22.7 |
Technical Root Cause and Attack Path
The NVD description identifies the vulnerable input as the post_id parameter. The flaw stems from two familiar causes in WordPress plugin code: user input was not escaped adequately, and the SQL query handling the value was not sufficiently prepared. In practice, that means an attacker may be able to inject SQL fragments into an existing query and manipulate how the database responds.
The attack path matters as much as the bug class. The affected handler is registered via wp_ajax_nopriv_tf_room_availability, which is explicitly exposed to unauthenticated users. Normally defenders might expect a nonce to add friction, but the NVD record says the nonce is emitted on a public single-hotel page template. That means an attacker can browse the public site, collect the nonce, and then call the vulnerable AJAX endpoint without logging in. For site owners running travel booking or hotel booking workflows, the likely impact includes data disclosure from the WordPress database, potentially including user information, customer booking details, configuration data, or password hashes depending on the exact query context and database permissions.
Technical Notes
The NVD references point to code locations under the tourfic plugin, including:
inc/Classes/Helper.phpinc/Classes/Hotel/Hotel.php- AJAX action:
tf_room_availability
While the referenced source files were not retrievable here, defenders can still use the published details to focus review and detection efforts around the vulnerable parameter and action name.
A representative attack request pattern would likely involve admin-ajax.php, the tf_room_availability action, and an abnormal post_id value:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
action=tf_room_availability&post_id=1' OR '1'='1&nonce=<publicly_obtained_nonce>
Because the exact payloads used in the wild are unknown, defenders should not overfit to a single string. Focus on abnormal characters or SQL keywords inside post_id and repeated requests to the same AJAX action from the same source.
Exploitation Status and Risk Assessment
At the time of writing, exploitation in the wild is not confirmed from the sources used for this article. Specifically, CVE-2026-12937 is not listed in CISA’s Known Exploited Vulnerabilities catalog, which means there is no CISA-backed confirmation of active exploitation as of 2026-06-25. That said, absence from KEV should not be interpreted as low risk, especially for an unauthenticated SQL injection on a public-facing WordPress plugin.
A public PoC was not confirmed from the retrieved materials either. The vulnerability is documented in NVD and referenced by Wordfence threat intelligence, but a standalone exploit repository or verified GitHub proof of concept was not established here. In the absence of a confirmed PoC, defenders should assume opportunistic weaponization is still plausible. Unauthenticated SQL injection bugs in WordPress plugins are historically high-value targets because they are easy to scan for, remotely reachable, and often deployed on internet-facing SMB sites with inconsistent patching.
Bottom Line
CVE-2026-12937 is a high-severity, unauthenticated SQL injection affecting Tourfic for WordPress through version 2.22.7. The vulnerable path is public-facing, the nonce is obtainable from a public page, and the likely impact is database data exposure. There is no confirmed in-the-wild exploitation from KEV and no verified public PoC from the materials reviewed, but defenders should still treat this as urgent because the attack path is simple and remotely reachable.
For practitioners, the priority order is clear: inventory Tourfic usage, patch to the latest version above 2.22.7, inspect admin-ajax.php activity for tf_room_availability, and escalate to incident response if suspicious requests are found.
For further reading on similar vulnerabilities, consider checking out our articles on what is DLP and how to prioritize critical vulnerabilities.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
How to Detect Exploitation Attempts
Detection should start with the WordPress AJAX surface. Specifically, review web server logs, WAF telemetry, and application monitoring for requests to /wp-admin/admin-ajax.php where the action parameter equals tf_room_availability. From there, pivot on suspicious post_id values, repeated failed requests, bursts from a single IP, and requests that include SQL metacharacters or common extraction patterns.
You should also correlate web requests with downstream database anomalies. If you have MySQL or MariaDB logging enabled, inspect for unusual query failures, syntax errors, or sudden spikes in read-heavy activity tied to the web application account. Because the exact query structure was not available, defenders should not rely on one database error signature. Instead, combine weak signals: public page fetches for hotel templates, nonce retrieval patterns, followed by repeated admin-ajax.php submissions with malformed post_id values.
Technical Notes
A simple Apache or Nginx log triage pattern is to search for the vulnerable action first:
grep -E "admin-ajax\.php" /var/log/nginx/access.log* | grep "tf_room_availability"
Then narrow on obviously malformed post_id values:
grep -E "admin-ajax\.php" /var/log/nginx/access.log* | \
grep "tf_room_availability" | \
grep -E "post_id=.*('|%27|--|%2D%2D|/\*|%2F%2A|union|select|sleep\(|benchmark\()"
A basic Splunk query defenders can adapt:
index=web_logs uri_path="*/wp-admin/admin-ajax.php"
| search uri_query="*action=tf_room_availability*" OR request_body="*action=tf_room_availability*"
| regex _raw="post_id=.*(%27|'|--|/\*|union|select|sleep\(|benchmark\()"
| stats count min(_time) as firstSeen max(_time) as lastSeen by src_ip, http_user_agent, host
A generic Suricata-style HTTP signature concept for tuning, not copy-paste production use:
alert http any any -> $HOME_NET any (
msg:"Possible Tourfic tf_room_availability SQLi attempt";
flow:to_server,established;
http.uri; content:"/wp-admin/admin-ajax.php";
http.client_body; content:"action=tf_room_availability";
http.client_body; pcre:"/post_id=.*(?:'|%27|--|union|select|sleep\()/i";
sid:100012937;
rev:1;
)
If you do not have adequate logs, assume visibility is incomplete. In that case, prioritize patching and consider the possibility that attempts may have gone unnoticed.
Mitigation and Patching
The primary mitigation is straightforward: upgrade Tourfic to a version newer than 2.22.7, ideally the latest available release. Because the exact first fixed version was not verified from the retrieved vendor or WordPress sources, do not stop at a minimally newer build unless you have independently confirmed the changelog. Updating to the latest release reduces uncertainty and may also pull in unrelated security fixes.
If immediate patching is not possible, reduce exposure around the vulnerable AJAX path. That may include temporarily disabling the plugin, restricting access to hotel booking pages if business impact allows, or using a WAF rule to inspect admin-ajax.php requests containing action=tf_room_availability and suspicious post_id input. Temporary controls are compensating measures only. Because the nonce is publicly obtainable according to NVD, relying on nonce-based protections alone is not a mitigation.
Technical Notes
To verify the installed plugin version with WP-CLI:
wp plugin list | grep tourfic
To update the plugin with WP-CLI:
wp plugin update tourfic
To confirm the plugin is now above the vulnerable range:
wp plugin get tourfic --fields=name,status,version,update_version
If you need an emergency workaround before patching and can tolerate service impact, temporarily deactivate the plugin:
wp plugin deactivate tourfic
If you run a WAF or reverse proxy, a temporary blocking condition could target requests meeting all of these criteria:
- Path contains
/wp-admin/admin-ajax.php - Body contains
action=tf_room_availability post_idcontains SQL metacharacters or SQL keywords
That workaround may reduce exploitation attempts, but it can also create false positives or break booking functionality. Test in staging where possible.
Incident Response Considerations
If you suspect exploitation, do not limit response to web logs. Treat this as a potential database disclosure event. Depending on site usage, impacted data could include WordPress users, password hashes, booking records, customer contact data, and site configuration details. Start by preserving logs, collecting the current plugin version, and identifying the earliest suspicious request to the vulnerable AJAX action.
You should also review whether the site stores sensitive personal or payment-adjacent data in WordPress tables or plugin-specific tables. Rotate database credentials if compromise is suspected, reset WordPress admin credentials where appropriate, and inspect for follow-on activity such as new admin users, modified plugin files, unknown cron jobs, or dropped web shells. Even though this CVE is described as data extraction-focused, SQL injection can serve as an entry point for broader post-exploitation depending on environment and permissions.
References
| Source | URL |
|---|---|
| NVD CVE record | https://nvd.nist.gov/vuln/detail/CVE-2026-12937 |
| WordPress plugin listing | https://wordpress.org/plugins/tourfic |
| Vendor site | https://tourfic.com |
| Wordfence threat intel reference | https://www.wordfence.com/threat-intel/vulnerabilities/id/12c29a44-f9e4-439a-bc3f-18a3640f7924?source=cve |