What the vulnerability does
01Description
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
Explanation of Vulnerability in Simple Terms
02Summary
The Booking Package plugin contains an authorization flaw affecting versions up to 1.7.16. An authenticated administrator with high privileges can read, modify, or delete sensitive data and system functionality without proper access controls. The vulnerability requires valid admin credentials and network access but does not require user interaction.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive data and system functions if they have administrator credentials.
Potential impact on your site
04Site Impact
Administrators with compromised credentials can cause data loss, system misconfiguration, or unauthorized changes to booking data.
Conditions required to exploit
05Prerequisites
Attacker must have valid administrator account credentials and network access to the site.
Key dates
06Disclosure timeline
June 6, 2026
CVE published
June 6, 2026
Record updated