CVE-2024-29137 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-29137?

CVE-2024-29137 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to inject malicious scripts into web pages generated by the Tourfic WordPress plugin, which are then executed in victims' browsers. It affects all WordPress sites using Tourfic plugin versions up to 2.11.7. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into web pages generated by the Tourfic WordPress plugin, which are then executed in victims' browsers. It affects all WordPress sites using Tourfic plugin versions up to 2.11.7. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

WordPress Tourfic Plugin

Versions: n/a through 2.11.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable Tourfic plugin versions are affected regardless of configuration.

📦 What is this software?

Tourfic by Themefic

View all CVEs affecting Tourfic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive user data.

🟠

Likely Case

Attackers steal user session cookies, redirect visitors to malicious sites, or perform limited actions within the plugin's context.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.8 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/tourfic/wordpress-tourfic-plugin-2-11-7-reflected-cross-site-scripting-xss-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tourfic plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Tourfic Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate tourfic

Web Application Firewall (WAF)

all

Configure WAF to block XSS payloads targeting Tourfic endpoints.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use browser security features like HttpOnly and Secure flags for cookies

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Tourfic version. If version is 2.11.7 or earlier, you are vulnerable.

Check Version:

wp plugin get tourfic --field=version

Verify Fix Applied:

Verify Tourfic plugin version is 2.11.8 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests containing script tags or JavaScript payloads to Tourfic endpoints
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads

SIEM Query:

source="web_server_logs" AND (uri="*tourfic*" AND (query="*<script>*" OR query="*javascript:*" OR query="*%3Cscript%3E*"))

📊 Metadata

CVE ID: CVE-2024-29137

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: March 19, 2024

Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29137, you might also want to check these: