The Tourfic plugin contains a SQL injection vulnerability that allows authenticated subscribers to execute unauthorized database queries, threatening the confidentiality and integrity of site data.

This vulnerability allows an authenticated user with "subscriber" permissions to inject malicious SQL commands via unsanitized input parameters. This bypasses typical input validation mechanisms, providing direct access to the underlying application database.

With a CVSS score of 8.5, this SQL injection vulnerability presents a significant risk of unauthorized data access, modification, or deletion. Attackers could potentially dump sensitive user information, credentials, or configuration data, leading to severe privacy violations and compliance failures.

Immediate Action: Update the Tourfic plugin to the version specified by Themefic as containing the necessary security fixes.

Proactive Monitoring: Enable database query logging to identify and alert on suspicious or malformed SQL queries originating from low-privileged users.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious payloads from incoming traffic.

Public Exploit Available: false

The severity of this SQL injection flaw necessitates an immediate update to the latest patched version of the Tourfic plugin. Administrators should also review database access logs to ensure that no unauthorized data extraction has occurred prior to the application of the patch.