Tourmaster
by WordPress
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48292 | Hig | 0.53 | 8.1 | 0.01 | May 23, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GoodLayers Tourmaster tourmaster allows PHP Local File Inclusion.This issue affects Tourmaster: from n/a through <= 5.3.8. | ||
| CVE-2025-32923 | Hig | 0.46 | 7.1 | 0.00 | Apr 15, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Tourmaster tourmaster allows Reflected XSS.This issue affects Tourmaster: from n/a through < 5.4.1. | ||
| CVE-2024-12400 | Hig | 0.46 | 7.1 | 0.00 | Jan 30, 2025 | The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. | ||
| CVE-2024-11356 | Med | 0.40 | 6.1 | 0.00 | Jan 6, 2025 | The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks. |
- risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GoodLayers Tourmaster tourmaster allows PHP Local File Inclusion.This issue affects Tourmaster: from n/a through <= 5.3.8.
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Tourmaster tourmaster allows Reflected XSS.This issue affects Tourmaster: from n/a through < 5.4.1.
- risk 0.46cvss 7.1epss 0.00
The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
- risk 0.40cvss 6.1epss 0.00
The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.