HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9185Published Modified CNA Wordfence

CVE-2026-9185: 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An Insecure Direct Object Reference (IDOR) vulnerability exists in the 6Storage Rentals plugin for WordPress, affecting all versions up to and including 2.22.0. The flaw is reachable over the network with no authentication required: two AJAX endpoints accept a raw user-supplied 'userId' parameter and perform no ownership check, session binding, or nonce validation before returning or updating tenant records. Successful exploitation lets an unauthenticated attacker read or overwrite any tenant's profile data, including name, email address, phone number, physical address, and SSN. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-9185 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Wordfence's advisory, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) using the published v3.1 vector, and per-environment compliance policy weighting is available to escalate or suppress the finding based on each customer org's data-sensitivity rules, routing it to the appropriate team inbox automatically.

Available
Patch

No fix version has been published upstream for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and a PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX endpoints are exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.

  • AuthenticationNot required

    Both handlers are registered on 'wp_ajax_nopriv_*' hooks, meaning no account or session cookie of any kind is needed to invoke them.

  • Victim interactionNot required

    The attacker sends a crafted POST request directly to the server; no user action or social-engineering step is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker only needs to enumerate sequential or guessable 'userId' integer values, with no race condition or environmental dependency.

Blast Radius

  • Reads any tenant's stored profile record, including full name, email address, phone number, physical address, and SSN, by supplying an enumerated userId.
  • Overwrites any tenant's profile fields via the update endpoint, enabling account takeover by replacing the target's email address or other identifying data.
  • Exposes SSNs and contact details for every registered tenant in the storage-rental system, creating direct regulatory and legal exposure under data-protection frameworks.
  • Enables bulk harvesting of the entire tenant database by iterating userId values in automated requests, with no rate-limit or auth barrier enforced by the plugin.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-9185 as of the advisory date, the platform monitors the Wordfence feed on every ingest cycle and will surface a patched-image rebuild the moment a remediated version of 6Storage Rentals is released. In the meantime, customers running this plugin can apply compensating controls within their environments: network-policy rules that restrict wp-admin/admin-ajax.php access to authenticated sessions at the WAF or reverse-proxy layer, egress filtering to limit what data the WordPress container can return to anonymous callers, and feature-flag or plugin-deactivation gating to disable the 'six_storage_get_user_info' and 'six_storage_update_profile' AJAX actions until a patch is available. For customers with auto-remediation enabled, once an upstream fix is published, HarborGuard will automatically trigger a rebuild, run the regression-test suite, and open a PR against affected workloads, with a typical median time from CVE publication to merged patch PR of around 90 minutes for high-severity findings in those environments.

See how HarborGuard automates this
Affected packages
  • sixstorage / 6Storage Rentals
    ≤ 2.22.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References