How is CVE-2026-9851 exploited?

Network reachability (required): The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): An authenticated account at Editor privilege level or above is required; a low-to-mid-privilege account is sufficient to trigger the endpoint. Victim interaction (not-required): No victim action is needed; the attacker calls the AJAX endpoint directly and supplies the target user ID without any user interaction. Attack complexity (info): Exploitation is straightforward and condition-free: the attacker supplies a valid nonce (obtainable as any authenticated user) and a target user ID, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-9851?

Attacker overwrites the email address and password of any WordPress account, including the site Administrator, and takes over that account immediately. Full administrative access to the WordPress installation is gained, enabling installation or modification of plugins, themes, and content. Confidential data stored in the WordPress database, including user records, private posts, and stored credentials, becomes readable and modifiable. The attacker can lock out the legitimate Administrator by changing credentials, effectively causing a denial of access for the real site owner.

Back to search

HIGHCVE-2026-9851Published 2026-06-06Modified 2026-06-06CNA Wordfence

CVE-2026-9851: Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action

Q: What is CVE-2026-9851?

This is a privilege escalation and account takeover vulnerability in the Booking Package plugin for WordPress (versions up to and including 1.7.16). The flaw is reachable over the network by any authenticated user with Editor-level access or higher, requiring no victim interaction. A successful attacker can change the email address and password of any WordPress account, including Administrator accounts, resulting in complete site takeover. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-9851 patched?

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, findings are surfaced continuously so customers can apply compensating controls while the upstream patch is pending.

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation and account takeover vulnerability in the Booking Package plugin for WordPress (versions up to and including 1.7.16). The flaw is reachable over the network by any authenticated user with Editor-level access or higher, requiring no victim interaction. A successful attacker can change the email address and password of any WordPress account, including Administrator accounts, resulting in complete site takeover. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Booking Package plugin. Any image carrying the plugin at version 1.7.16 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.2 (High) and applies per-environment compliance policy weighting to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on their configured policy.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, findings are surfaced continuously so customers can apply compensating controls while the upstream patch is pending.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
An authenticated account at Editor privilege level or above is required; a low-to-mid-privilege account is sufficient to trigger the endpoint.
Victim interactionNot required
No victim action is needed; the attacker calls the AJAX endpoint directly and supplies the target user ID without any user interaction.
Attack complexityDetail
Exploitation is straightforward and condition-free: the attacker supplies a valid nonce (obtainable as any authenticated user) and a target user ID, with no race conditions or special environmental factors required.

Blast Radius

Attacker overwrites the email address and password of any WordPress account, including the site Administrator, and takes over that account immediately.
Full administrative access to the WordPress installation is gained, enabling installation or modification of plugins, themes, and content.
Confidential data stored in the WordPress database, including user records, private posts, and stored credentials, becomes readable and modifiable.
The attacker can lock out the legitimate Administrator by changing credentials, effectively causing a denial of access for the real site owner.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version currently published, so HarborGuard re-evaluates the advisory on every ingest cycle. Images carrying Booking Package at version 1.7.16 or earlier are flagged as affected in any customer registry or build pipeline where they appear. While no upstream patch exists, customers can apply compensating controls such as network-policy rules that restrict wp-admin AJAX access to known IP ranges, removal or deactivation of the Booking Package plugin in affected images, and role-hygiene reviews to minimize the number of accounts holding Editor-level access or above. For customers with auto-remediation enabled, a rebuilt image and a PR opened against affected workloads will be generated automatically the moment an upstream fix version is published, with no manual tracking required.

See how HarborGuard automates this

Affected packages

masaakitanaka / Booking Package
≤ 1.7.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified