PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9185 sixstorage CVE debrief

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.

Vendor
sixstorage
Product
6Storage Rentals
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of the 6Storage Rentals plugin for WordPress, particularly those with versions up to and including 2.22.0, should be aware of this vulnerability and take necessary actions to protect their sites.

Technical summary

The vulnerability exists in the 6Storage Rentals plugin for WordPress, specifically in the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. These actions are registered on `wp_ajax_nopriv_*` hooks, allowing unauthenticated access. The functions `six_storage_getUserInfo()` and `six_storage_updateProfile()` accept a `userId` parameter directly from `$_POST['userId']` without proper validation, enabling attackers to bypass authorization and access or modify tenant profile data.

Defensive priority

High

Recommended defensive actions

  • Update the 6Storage Rentals plugin to a version beyond 2.22.0, if available.
  • Restrict access to the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions to authenticated users only.
  • Implement additional validation and sanitization for user input in the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions.

Evidence notes

The vulnerability was reported by [email protected] and is documented in various references, including the CVE record and NVD detail pages.

Official resources

CVE-2026-9185 was published on 2026-06-09T05:16:41.213Z and modified on 2026-06-09T13:33:34.393Z.