CVE-2026-9851
Deferred Deferred - Pending Action
Privilege Escalation via Account Takeover in Booking Package WordPress Plugin

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-9851
EUVD
EUVD-2026-34961
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence booking_package to 1.7.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Booking Package plugin for WordPress has a vulnerability that allows privilege escalation through account takeover in versions up to and including 1.7.16.

This happens because there is a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. The handler only validates a nonce, but the dispatcher calls Schedule::updateUser() with the administrator argument hard-coded to 1.

This bypasses the owner-restriction check inside that function, allowing an attacker with Editor-level access or higher to change the email address and password of any account, including Administrator accounts.

As a result, the attacker can take over the entire site.

Impact Analysis

This vulnerability can have a severe impact because it allows an authenticated attacker with Editor-level access or higher to take over any user account, including Administrator accounts.

By changing the email address and password of these accounts, the attacker gains full control over the WordPress site.

This can lead to unauthorized access, data theft, site defacement, or further malicious activities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart