CVE-2026-1806 in Tour & Activity Operator Plugin for TourCMS
Summary
by MITRE • 03/21/2026
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-1806 affects the Tour & Activity Operator Plugin for TourCMS, a WordPress plugin designed to integrate tour and activity booking functionality. This plugin has been found to contain a stored cross-site scripting flaw that exists in all versions up to and including 1.7.0, representing a critical security weakness that can be exploited by malicious actors with relatively low privileges. The vulnerability specifically resides within the tourcms_doc_link shortcode implementation, where the 'target' parameter fails to undergo proper input sanitization and output escaping measures.
The technical flaw manifests when an attacker with Contributor-level access or higher manipulates the 'target' parameter through the tourcms_doc_link shortcode functionality. This parameter is processed without adequate validation or sanitization, allowing malicious script code to be stored within the plugin's data structures. When legitimate users access pages containing the injected content, the stored scripts execute in their browsers, creating a persistent cross-site scripting attack vector. The vulnerability is classified as stored XSS because the malicious code is permanently saved within the application's database rather than being reflected in a single HTTP request, making it particularly dangerous as it can affect multiple users over time.
The operational impact of this vulnerability is significant for WordPress sites utilizing the affected plugin, as it creates an attack surface that can be exploited by authenticated users who have already gained access to the system through legitimate means. Contributors and higher user roles typically have the ability to create and edit content, making this vulnerability particularly concerning as it allows attackers to escalate their privileges or compromise user sessions. The stored nature of the XSS attack means that any user who accesses pages containing the malicious code will be automatically infected, potentially leading to session hijacking, credential theft, or further exploitation of the compromised systems. This vulnerability directly aligns with CWE-79 which defines cross-site scripting as the failure to properly escape output, and can be mapped to ATT&CK technique T1566.001 which covers the exploitation of web application vulnerabilities for initial access.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the plugin where the XSS vulnerability has been patched, implementing proper input validation and output escaping mechanisms, and conducting thorough security audits of all installed plugins. The recommended approach includes disabling the affected shortcode functionality until a patched version is available, implementing web application firewalls to detect and block malicious payloads, and monitoring user activity for signs of unauthorized content injection. Additionally, administrators should review user permissions to ensure that only trusted users have Contributor-level access or higher, as this reduces the attack surface for potential exploitation. The vulnerability demonstrates the importance of proper input sanitization and output escaping practices in web applications, particularly for plugins that handle user-generated content and integrate with external systems.