HIGH
masaakitanaka
CVE published 2026-06-06
CVE-2026-9851
CVE-2026-9851 is a high-severity vulnerability in the Booking Package plugin for WordPress. The plugin is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. The handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the [truncated]