Tourfic < 2.11.8 – Reflected Cross-Site Scripting | CVE 2024-29137 | Plugin Vulnerabilities

Description

The Tourfic plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.11.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Fixed in 2.11.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/32d4c259-b56d-4f8f-84b8-7ef451fd02ad

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

LVT-tholv2k

Verified

No

WPVDB ID

f93321c7-d4e3-470c-9fd9-8e65c2284c5d

Timeline

Publicly Published

2024-03-18 (about 1 year ago)

Added

2024-03-22 (about 1 year ago)

Last Updated

2024-03-22 (about 1 year ago)

Other

Published

Title

Published

2025-09-19

Title

Draft List < 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2019-05-14

Title

Register IPs <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2025-12-31

Title

Behance Portfolio Manager <= 1.7.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Better WP Security 3.6.3 - /wp-admin/admin-ajax.php license Parameter Stored XSS Weakness

Published

2023-01-27

Title

Glossary < 2.1.28 - Contributor+ Stored XSS