CVE-2025-24650 – This vulnerability allows attackers to upload a... (How to Fix)

Q: What is the severity of CVE-2025-24650?

CVE-2025-24650 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress servers running the Tourfic plugin. It affects all WordPress sites using Tourfic versions up to 2.15.3. Attackers can gain complete control of affected web servers through this file upload flaw.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress servers running the Tourfic plugin. It affects all WordPress sites using Tourfic versions up to 2.15.3. Attackers can gain complete control of affected web servers through this file upload flaw.

💻 Affected Systems

Products:

Tourfic WordPress Plugin

Versions: n/a through 2.15.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable Tourfic plugin versions enabled.

📦 What is this software?

Tourfic by Themefic

View all CVEs affecting Tourfic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, website defacement, and use as attack platform for further network penetration.

🟠

Likely Case

Web shell installation enabling persistent backdoor access, data exfiltration, and website manipulation.

🟢

If Mitigated

File upload attempts blocked at web application firewall level with no successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.15.4 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/tourfic/vulnerability/wordpress-tourfic-plugin-2-15-3-arbitrary-file-upload-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tourfic plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.15.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Tourfic Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate tourfic

Web Application Firewall Rule

all

Block file uploads to Tourfic endpoints

Modify WAF to block POST requests containing file uploads to /wp-content/plugins/tourfic/

🧯 If You Can't Patch

Implement strict file upload validation at web server level
Monitor file system for unexpected PHP/executable files in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Tourfic version number

Check Version:

wp plugin get tourfic --field=version

Verify Fix Applied:

Confirm Tourfic plugin version is 2.15.4 or higher

📡 Detection & Monitoring

Log Indicators:

File uploads to tourfic directories with PHP/executable extensions
Unusual POST requests to tourfic endpoints

Network Indicators:

HTTP POST requests with file uploads to /wp-content/plugins/tourfic/ paths

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/tourfic/" AND method="POST" AND content_type="multipart/form-data")

📊 Metadata

CVE ID: CVE-2025-24650

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.22% exploit probability (44.7th percentile)

Published: January 24, 2025

Last Updated: June 9, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/tourfic/vulnerability/wordpress-tourfic-plugin-2-15-3-arbitrary-file-upload-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24650, you might also want to check these: