CVE-2026-9851 HIGH

CVE-2026-9851: Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action

Vendor Masaakitanaka
Product Booking Package
Weakness CWE-639 · IDOR
Published June 6, 2026
Last update June 6, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.

Explanation of Vulnerability in Simple Terms

02Summary

The Booking Package plugin contains an authorization flaw affecting versions up to 1.7.16. An authenticated administrator with high privileges can read, modify, or delete sensitive data and system functionality without proper access controls. The vulnerability requires valid admin credentials and network access but does not require user interaction.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and system functions if they have administrator credentials.

Potential impact on your site

04Site Impact

Administrators with compromised credentials can cause data loss, system misconfiguration, or unauthorized changes to booking data.

Conditions required to exploit

05Prerequisites

Attacker must have valid administrator account credentials and network access to the site.

Key dates

06Disclosure timeline

June 6, 2026 CVE published
June 6, 2026 Record updated