CVE-2025-48292 WordPress Tourmaster plugin <= 5.3.8 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in GoodLayers Tourmaster tourmaster allows PHP Local File Inclusion.This issue affects Tourmaster: from n/a through = 5.3.8...

CVE-2025-32923 WordPress Tourmaster plugin < 5.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GoodLayers Tourmaster tourmaster allows Reflected XSS.This issue affects Tourmaster: from n/a through 5.4.1...

WordPress Tour Master plugin <= 5.3.6 - Authenticated (Subscriber+) SQL Injection via review_id Parameter vulnerability

Authenticated Subscriber+ SQL Injection via reviewid Parameter vulnerability discovered by Aiden Thái An in WordPress Plugin Tourmaster versions = 5.3.6...

WordPress Tourmaster plugin < 5.3.5 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Erwan LR WPScan in WordPress Plugin Tourmaster versions 5.3.5...

CVE-2024-12400

The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting...

CVE-2024-12400

The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting...

CVE-2024-12400 Tourmaster < 5.3.5 - Reflected XSS

The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting...

CVE-2024-12400

CVE-2024-12400 describes a reflected XSS in the Tour Master WordPress plugin prior to v5.3.5, caused by failing to escape generated URLs output in HTML attributes. The issue can be triggered by an attacker crafting a URL that injects malicious script, potentially affecting site visitors. Public d...

CVE-2024-12400 Tourmaster < 5.3.5 - Reflected XSS

The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting...

WordPress plugin tourmaster 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2025-1830 · WordPress · Tourmaster

Name of the Vulnerable Software and Affected Versions: tourmaster WordPress plugin versions prior to 5.3.5 Description: The issue is related to Reflected Cross-Site Scripting, where generated URLs are not properly escaped before being outputted in attributes. This can lead to malicious scripts...

CVE-2024-11356

The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks...

CVE-2024-11356 Tourmaster < 5.3.4 - Unauthenticated Stored XSS via Room Booking

The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks...

CVE-2024-11356 Tourmaster < 5.3.4 - Unauthenticated Stored XSS via Room Booking

The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks...

CVE-2024-11356

CVE-2024-11356 affects the Tour Master - Tour Booking, Travel, Hotel WordPress plugin (versions prior to 5.3.4). The issue is an Cross-Site Scripting (XSS) vulnerability caused by insufficient sanitization/escaping of parameters when rendered on pages, allowing unauthenticated users to inject scr...