PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9851 masaakitanaka CVE debrief

CVE-2026-9851 is a high-severity vulnerability in the Booking Package plugin for WordPress. The plugin is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. The handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function. This allows the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). As a result, authenticated attackers with Editor-level access and above can change the email address and password of any account, including Administrator accounts, leading to a full site takeover.

Vendor
masaakitanaka
Product
Booking Package
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-06
Original CVE updated
2026-06-08
Advisory published
2026-06-06
Advisory updated
2026-06-08

Who should care

Users of the Booking Package plugin for WordPress, particularly those with Editor-level access and above, should be aware of this vulnerability and take immediate action to protect their sites.

Technical summary

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover. The vulnerability exists in versions up to, and including, 1.7.16. The issue arises from a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. The handler only validates a nonce, and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1. This bypasses the only owner-restriction check inside that function, allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user().

Defensive priority

high

Recommended defensive actions

  • Update the Booking Package plugin to a version beyond 1.7.16.
  • Restrict access to the package_app_action AJAX endpoint.
  • Monitor for suspicious activity related to account changes.

Evidence notes

The vulnerability was reported by [email protected]. The CVE record is available at [cve-org]. The NVD detail can be found at [nvd]. Additional information can be found in the source references [ref-4], [ref-5], [ref-6], [ref-7], and [ref-8].

Official resources

CVE-2026-9851 was published on 2026-06-06T05:16:30.047Z and modified on 2026-06-08T14:57:14.757Z.