GCVE - cpe:2.3:a:goodlayers:tour_master:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:goodlayers:tour_master:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Goodlayers (`28abca21-f7ab-5a0e-b8eb-5a0b2c0aabfd`)
Product	Tour Master (`738f4411-1dc7-5658-9287-7ff9ace0dc8c`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-13369`	vulnerable	2026-06-08 06:25:37.544750	Tour Master - Tour Booking, Travel, Hotel <= 5.3.7 - Authenticated (Subscriber+) SQL Injection via review_id Parameter MEDIUM (6.5) The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to time-based SQL Injection via the ‘review_id’ parameter in all versions up to, and including, 5.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: 2025-02-18T09:21:15.795Z Updated: 2026-04-08T17:02:55.914Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7f2cb6-5c19-4126-9f39-439cf6057c5b?source=cve https://codecanyon.net/item/tour-master-tour-booking-travel-wordpress-plugin/20539780 https://support.goodlayers.com/document/changelog-tour-master-plugin/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-12400`	vulnerable	2026-06-08 06:23:51.891924	Tourmaster < 5.3.5 - Reflected XSS The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. Published: 2025-01-30T06:00:09.161Z Updated: 2025-01-30T15:49:07.509Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-11356`	vulnerable	2026-06-08 06:23:49.493325	Tourmaster < 5.3.4 - Unauthenticated Stored XSS via Room Booking The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks. Published: 2025-01-06T06:00:05.058Z Updated: 2025-01-06T13:39:03.534Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/d70df54e-e99e-4539-9fd9-002c0642137e/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.