CVE-2024-12400 – The tourmaster WordPress plugin before version ... (How to Fix)

Q: What is the severity of CVE-2024-12400?

CVE-2024-12400 has a CVSS score of 7.1 (HIGH). The tourmaster WordPress plugin before version 5.3.5 fails to properly escape URLs before outputting them in HTML attributes, allowing attackers to inject malicious scripts. This reflected cross-site scripting vulnerability affects WordPress sites using vulnerable versions of the tourmaster plugin. Attackers can exploit this by tricking users into clicking specially crafted links.

📋 TL;DR

The tourmaster WordPress plugin before version 5.3.5 fails to properly escape URLs before outputting them in HTML attributes, allowing attackers to inject malicious scripts. This reflected cross-site scripting vulnerability affects WordPress sites using vulnerable versions of the tourmaster plugin. Attackers can exploit this by tricking users into clicking specially crafted links.

💻 Affected Systems

Products:

tourmaster WordPress plugin

Versions: All versions before 5.3.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations using the vulnerable tourmaster plugin versions are affected regardless of configuration.

📦 What is this software?

Tour Master by Goodlayers

View all CVEs affecting Tour Master →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full site compromise.

🟠

Likely Case

Attackers steal user session cookies or credentials, leading to unauthorized access to user accounts.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability is prevented, and no impact occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (clicking a malicious link) and knowledge of the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.5

Vendor Advisory: https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find tourmaster plugin. 4. Click 'Update Now' if available, or manually update to version 5.3.5 or later.

🔧 Temporary Workarounds

Disable tourmaster plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate tourmaster

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in URLs.
Use Content Security Policy (CSP) headers to restrict script execution sources.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for tourmaster version below 5.3.5.

Check Version:

wp plugin get tourmaster --field=version

Verify Fix Applied:

Confirm tourmaster plugin version is 5.3.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual URL parameters containing script tags or JavaScript in web server logs.

Network Indicators:

HTTP requests with suspicious parameters containing script tags or JavaScript code.

SIEM Query:

source="web_server_logs" AND (url="*<script*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-12400

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.1% exploit probability (28.2th percentile)

Published: January 30, 2025

Last Updated: June 9, 2025

🔗 References

https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12400, you might also want to check these: