CVE-2026-9851
Description
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
Affected products
2<=1.7.16+ 1 more
- (no CPE)range: <=1.7.16
- (no CPE)range: <=1.7.16
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'updateUser' AJAX endpoint lacks a capability check, allowing privilege escalation."
Attack vector
An authenticated attacker with Editor-level access can exploit this vulnerability. The attacker targets the `package_app_action` AJAX endpoint, specifically the `updateUser` action. By manipulating the request, the attacker can bypass the nonce validation and directly invoke `Schedule::updateUser()` with a hardcoded administrator flag set to true. This allows the attacker to change the email and password of any user, including administrators, leading to a full site takeover [ref_id=1].
Affected code
The vulnerability resides within the `package_app_action` AJAX endpoint, specifically in the handler for the `updateUser` action. The code fails to perform an adequate capability check before calling `Schedule::updateUser()`, which is then invoked with `$administrator` hardcoded to `1` [ref_id=1].
What the fix does
The patch is not provided in the bundle. However, the vulnerability description indicates that the fix would involve implementing a proper capability check on the `updateUser` AJAX endpoint. This check should ensure that only users with sufficient privileges can modify user data, thereby preventing unauthorized privilege escalation and account takeover.
Preconditions
- authAttacker must have at least Editor-level access.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.phpnvd
- plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.phpnvd
- plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/lib/Schedule.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/795c1fd6-137b-4414-8d6b-30053bfb5924nvd
News mentions
0No linked articles in our index yet.