CVE-2026-9851
Deferred Deferred - Pending Action

Privilege Escalation via Account Takeover in Booking Package WordPress Plugin

Vulnerability report for CVE-2026-9851, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-07-17
AI Q&A
2026-06-06
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordfence booking_package to 1.7.16 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Booking Package plugin for WordPress has a vulnerability that allows privilege escalation through account takeover in versions up to and including 1.7.16.

This happens because there is a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. The handler only validates a nonce, but the dispatcher calls Schedule::updateUser() with the administrator argument hard-coded to 1.

This bypasses the owner-restriction check inside that function, allowing an attacker with Editor-level access or higher to change the email address and password of any account, including Administrator accounts.

As a result, the attacker can take over the entire site.

Impact Analysis

This vulnerability can have a severe impact because it allows an authenticated attacker with Editor-level access or higher to take over any user account, including Administrator accounts.

By changing the email address and password of these accounts, the attacker gains full control over the WordPress site.

This can lead to unauthorized access, data theft, site defacement, or further malicious activities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart