📄 Description (English)
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
The Tour & Activity Operator Plugin for TourCMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the tourcms_doc_link shortcode affecting versions up to 1.7.0. Authenticated attackers with Contributor-level access can inject malicious scripts that execute for all users viewing affected pages. While currently unpatched, the medium CVSS score (6.4) and authentication requirement limit immediate risk, but organizations using this plugin should implement compensating controls immediately.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 15, 2026 14:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations operating tourism and hospitality websites using WordPress with the TourCMS plugin face elevated risk. Primary impact sectors include: Tourism & Hospitality (SCTH-regulated entities), E-commerce platforms offering tour packages, Government tourism portals (Saudi Tourism Authority), and Travel agencies. Compromised websites could lead to credential theft from tourists, malware distribution, defacement, and reputational damage. The vulnerability is particularly concerning for organizations handling payment information or personal data of international visitors.
🏢 Affected Saudi Sectors
Tourism & Hospitality
E-commerce
Government (Tourism Authority)
Travel & Booking Agencies
Hospitality Management
Event Management
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (WordPress plugin vulnerability)
T1598 - Phishing (credential harvesting via injected scripts)
T1566 - Phishing (malware distribution through compromised pages)
T1059 - Command and Scripting Interpreter (JavaScript execution)
T1547 - Boot or Logon Initialization Scripts (persistent XSS payload)
T1583 - Acquire Infrastructure (attacker-controlled domains in injected scripts)
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations for TourCMS plugin presence and version (versions ≤1.7.0 are vulnerable)
2. Review user access logs for Contributor-level and above accounts to identify suspicious activity
3. Scan published pages/posts containing [tourcms_doc_link] shortcodes for injected scripts
COMPENSATING CONTROLS (until patch available):
1. Restrict Contributor-level access to only trusted personnel; audit existing contributors
2. Implement Web Application Firewall (WAF) rules to detect/block XSS payloads in shortcode parameters
3. Enable WordPress security plugins (Wordfence, Sucuri) with XSS detection enabled
4. Apply Content Security Policy (CSP) headers to prevent inline script execution
5. Disable the tourcms_doc_link shortcode if not actively used
DETECTION:
1. Monitor WordPress logs for shortcode usage patterns: grep for 'tourcms_doc_link' in post_content
2. Search database for common XSS payloads in post_meta and post_content: <script>, javascript:, onerror=, onload=
3. Enable WordPress audit logging for post modifications by Contributor+ users
4. Alert on any post revisions containing script tags within 24 hours of publication
PATCHING:
1. Monitor plugin repository for version 1.7.1+ release
2. Establish update testing procedure before production deployment
3. Consider alternative tour booking plugins if vendor does not release patch within 30 days
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress للتحقق من وجود مكون TourCMS والإصدار (الإصدارات ≤1.7.0 معرضة للخطر)
2. مراجعة سجلات الوصول للمستخدمين على مستوى المساهم وما فوقه لتحديد النشاط المريب
3. فحص الصفحات/المنشورات المنشورة التي تحتوي على اختصارات [tourcms_doc_link] للبحث عن البرامج النصية المحقونة
الضوابط التعويضية (حتى توفر التصحيح):
1. تقييد الوصول على مستوى المساهم للموظفين الموثوقين فقط؛ تدقيق المساهمين الحاليين
2. تطبيق قواعد جدار الحماية لتطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في معاملات الاختصار
3. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع تفعيل كشف XSS
4. تطبيق رؤوس Content Security Policy (CSP) لمنع تنفيذ البرامج النصية المضمنة
5. تعطيل اختصار tourcms_doc_link إذا لم يكن قيد الاستخدام النشط
الكشف:
1. مراقبة سجلات WordPress لأنماط استخدام الاختصارات: البحث عن 'tourcms_doc_link' في post_content
2. البحث في قاعدة البيانات عن حمولات XSS الشائعة: <script>، javascript:، onerror=، onload=
3. تفعيل تسجيل تدقيق WordPress لتعديلات المنشورات من قبل مستخدمي Contributor+
4. التنبيه على أي مراجعات منشورات تحتوي على علامات البرامج النصية خلال 24 ساعة من النشر
التصحيح:
1. مراقبة مستودع المكون لإصدار 1.7.1+ أو أحدث
2. إنشاء إجراء اختبار التحديث قبل النشر في الإنتاج
3. النظر في مكونات حجز الجولات البديلة إذا لم يصدر البائع تصحيحاً خلال 30 يوماً
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (plugin vendor accountability)
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements (patch management SLAs)
ECC 2024 A.12.6.1 - Management of technical vulnerabilities (timely patching procedures)
ECC 2024 A.5.23 - Access control for information systems (Contributor-level access restrictions)
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Business Environment (third-party risk management for plugins)
SAMA CSF PR.AC-1 - Access Control (authentication and authorization for content management)
SAMA CSF PR.DS-2 - Data Security (protection against injection attacks)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for XSS exploitation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Restriction of access to information (user access management)
ISO 27001:2022 A.8.1 - User endpoint devices (malware and XSS prevention)
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities (patch management)
ISO 27001:2022 A.14.2.1 - Supplier relationship information security (third-party plugin risk)
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches must be installed within defined timeframe
PCI DSS 6.5.7 - Cross-site scripting prevention required
PCI DSS 7.1 - Limit access to system components by business need-to-know
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/tour-operator-plugin/tags/1.7.0/tourcms-plug...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/tour-operator-plugin/trunk/tourcms-plugin.ph...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e9f16e1-9748-4f5d-84f0-19da6...
security@wordfence.com