CVE-2026-9185 Overview
CVE-2026-9185 is an authorization bypass vulnerability in the 6Storage Rentals plugin for WordPress affecting all versions up to and including 2.22.0. The flaw resides in the six_storage_get_user_info and six_storage_update_profile AJAX actions, which accept a tenant identifier from the userId POST parameter without ownership verification. Unauthenticated attackers can read and modify arbitrary tenant profile data by supplying enumerated user IDs in crafted requests. Exposed data includes names, email addresses, phone numbers, physical addresses, and Social Security Numbers (SSNs). The vulnerability is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Unauthenticated attackers can enumerate tenant IDs and exfiltrate or modify sensitive personally identifiable information (PII), including SSNs, across every tenant in affected installations.
Affected Products
- 6Storage Rentals plugin for WordPress, all versions up to and including 2.22.0
- Confirmed vulnerable releases include 2.20.2 and 2.22.0 per source tree references
- WordPress sites running the plugin with wp_ajax_nopriv_* handlers exposed
Discovery Timeline
- 2026-06-09 - CVE-2026-9185 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-9185
Vulnerability Analysis
The 6Storage Rentals plugin registers two AJAX handlers, six_storage_getUserInfo() and six_storage_updateProfile(), on the wp_ajax_nopriv_* hook. This hook exposes endpoints to unauthenticated visitors. Both functions read a tenant identifier directly from $_POST['userId'] and use it as a lookup key against the tenants table.
Neither handler performs session binding, ownership verification, or nonce validation against the supplied identifier. As a result, the server fulfills any request that includes a numeric userId, regardless of who is sending it. Tenant IDs are sequential and easily enumerated, which lets attackers iterate through the dataset and harvest or overwrite profile records at will.
Impact extends beyond confidentiality. Because six_storage_updateProfile() accepts arbitrary changes to identity fields, attackers can alter contact information and SSN values, corrupting business records and enabling downstream fraud or social engineering against legitimate tenants.
Root Cause
The root cause is missing access control on user-controlled identifiers, a textbook Insecure Direct Object Reference (IDOR). The handlers trust the client-supplied userId as authoritative, conflating identification with authorization. Registering the actions on wp_ajax_nopriv_* compounds the issue by removing any authentication requirement.
Attack Vector
The vulnerability is exploited remotely over the network with no authentication and no user interaction. An attacker sends a crafted POST request to wp-admin/admin-ajax.php with action=six_storage_get_user_info or action=six_storage_update_profile and an enumerated userId value. The server returns or updates that tenant's record without further checks.
No public exploit has been catalogued in ExploitDB, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Public source-code references to the vulnerable lines are available in the WordPress Plugin Trac for version 2.22.0 and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-9185
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=six_storage_get_user_info or action=six_storage_update_profile originating from unauthenticated sessions
- Sequential or rapidly incrementing userId parameter values in access logs, indicating tenant enumeration
- Profile update events recorded in the plugin database without a corresponding authenticated WordPress session cookie
- Outbound responses containing tenant PII fields returned to IPs that have not completed any login flow
Detection Strategies
- Parse web server access logs for high-volume POST traffic to admin-ajax.php referencing the two vulnerable action values within short time windows
- Correlate WordPress authentication logs with AJAX activity to flag profile read or write actions executed without an authenticated session
- Deploy Web Application Firewall (WAF) rules to alert on requests where userId differs from any value bound to the requester's session
- Monitor database audit trails for UPDATE statements against the tenants table that lack an associated authenticated user context
Monitoring Recommendations
- Centralize WordPress and reverse-proxy logs in a SIEM and build alerts for the two specific AJAX action strings
- Track baseline request volumes to admin-ajax.php per source IP and flag deviations consistent with ID enumeration
- Review tenant records for unexplained changes to email, phone, address, or SSN fields and reconcile against authenticated audit entries
How to Mitigate CVE-2026-9185
Immediate Actions Required
- Update the 6Storage Rentals plugin to a version newer than 2.22.0 once the vendor publishes a patched release
- If no fixed version is available, deactivate and remove the plugin until a patch is verified
- Audit the tenants table for unauthorized profile modifications and reset affected records from backup
- Notify tenants whose SSN or contact data may have been exposed, in line with applicable breach notification regulations
Patch Information
At the time of NVD publication on 2026-06-09, the advisory identifies all versions up to and including 2.22.0 as vulnerable. Site administrators should consult the Wordfence Vulnerability Report and the WordPress plugin repository for the latest fixed release and changelog confirming the addition of ownership checks and nonce validation.
Workarounds
- Block unauthenticated access to admin-ajax.php requests carrying action=six_storage_get_user_info or action=six_storage_update_profile at the WAF or reverse proxy layer
- Restrict access to the WordPress site behind an authentication gateway or IP allowlist while a patch is pending
- Remove or rename the vulnerable handler registrations in Six_Storage_DashboardController.php if maintaining the plugin in place is unavoidable
# Example nginx rule to block the vulnerable AJAX actions
location = /wp-admin/admin-ajax.php {
if ($request_method = POST) {
if ($request_body ~* "action=(six_storage_get_user_info|six_storage_update_profile)") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
