CVE-2026-9851
Privilege Escalation via Account Takeover in Booking Package WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | booking_package | to 1.7.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Booking Package plugin for WordPress has a vulnerability that allows privilege escalation through account takeover in versions up to and including 1.7.16.
This happens because there is a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. The handler only validates a nonce, but the dispatcher calls Schedule::updateUser() with the administrator argument hard-coded to 1.
This bypasses the owner-restriction check inside that function, allowing an attacker with Editor-level access or higher to change the email address and password of any account, including Administrator accounts.
As a result, the attacker can take over the entire site.
How can this vulnerability impact me? :
This vulnerability can have a severe impact because it allows an authenticated attacker with Editor-level access or higher to take over any user account, including Administrator accounts.
By changing the email address and password of these accounts, the attacker gains full control over the WordPress site.
This can lead to unauthorized access, data theft, site defacement, or further malicious activities.