CVE-2026-9851 Overview
CVE-2026-9851 is a privilege escalation vulnerability in the Booking Package plugin for WordPress affecting all versions up to and including 1.7.16. The flaw resides in the updateUser branch of the package_app_action AJAX endpoint, which validates a nonce but omits a capability check. The dispatcher calls Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the owner-restriction logic inside the function. Authenticated attackers with Editor-level access or higher can change the email address and password of any account, including Administrator accounts. The result is full site takeover by a low-trust authenticated user [CWE-639].
Critical Impact
Editor-level users can hijack Administrator accounts and gain full control of the WordPress site.
Affected Products
- Booking Package plugin for WordPress, versions through 1.7.16
- WordPress sites that expose Editor or higher roles to untrusted users
- Multi-author WordPress deployments running the affected plugin
Discovery Timeline
- 2026-06-06 - CVE-2026-9851 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-9851
Vulnerability Analysis
The Booking Package plugin registers an AJAX action named package_app_action that dispatches multiple sub-actions based on attacker-supplied input. The updateUser branch handles account modifications. The handler validates a WordPress nonce but does not call current_user_can() or any equivalent capability check before processing the request. Any authenticated user able to obtain a valid nonce can reach this code path.
Inside the dispatcher, Schedule::updateUser() is invoked with the $administrator parameter statically set to 1. The function contains a conditional that restricts updates to the account owner, but the hard-coded administrator flag bypasses that gate. The target user ID, email address, and password are read directly from the request payload and passed to wp_update_user().
Because wp_update_user() accepts arbitrary user IDs in this context, an Editor can submit the ID of any Administrator and overwrite that account's credentials. The attacker then logs in as the hijacked Administrator and controls the site.
Root Cause
The root cause is a missing authorization check on a privileged AJAX endpoint, combined with a hard-coded privilege flag that disables the in-function owner restriction. Nonce validation confirms request origin but does not enforce authorization, leaving access control to the bypassed branch.
Attack Vector
An attacker authenticates as an Editor or higher, fetches a valid nonce from an authorized plugin page, and posts to admin-ajax.php with action=package_app_action, the updateUser sub-action, a target user ID, and new credentials. The plugin then writes the attacker-controlled email and password to the targeted Administrator account.
No specific exploitation code is published in the referenced advisories. See the Wordfence Vulnerability Report and the WordPress Booking Package Code for the affected source paths.
Detection Methods for CVE-2026-9851
Indicators of Compromise
- POST requests to wp-admin/admin-ajax.php with parameter action=package_app_action and a sub-action of updateUser originating from non-Administrator sessions.
- Unexpected changes to Administrator account user_email or user_pass fields in the wp_users table.
- New Administrator logins from unfamiliar IP addresses immediately following Editor-account activity.
- Password reset emails or account-update notifications sent to attacker-controlled addresses.
Detection Strategies
- Inspect web server access logs for POSTs to admin-ajax.php referencing package_app_action and correlate with the authenticated user role.
- Audit WordPress user metadata for email or password changes to privileged accounts performed outside the standard profile interface.
- Hunt for Editor-role sessions issuing requests that target user IDs other than their own.
Monitoring Recommendations
- Enable WordPress audit logging for user profile updates and role changes.
- Forward web server and PHP application logs to a centralized analytics platform for role-aware correlation.
- Alert on Administrator login from a new IP within a short window after an Editor session interacts with the Booking Package plugin.
How to Mitigate CVE-2026-9851
Immediate Actions Required
- Update the Booking Package plugin to a version later than 1.7.16 once the vendor publishes a fixed release.
- Rotate passwords and reset email addresses on all Administrator accounts.
- Review the user list for unexpected Administrator accounts and remove any that are unauthorized.
- Restrict Editor-and-above access to trusted personnel only until patching is complete.
Patch Information
The vendor changeset is tracked in the WordPress Booking Package Changeset. Apply the latest plugin version from the WordPress plugin repository and verify that the updateUser handler enforces current_user_can() and removes the hard-coded administrator flag.
Workarounds
- Deactivate the Booking Package plugin until a fixed version is installed.
- Block external access to wp-admin/admin-ajax.php requests carrying action=package_app_action using a web application firewall rule.
- Temporarily downgrade non-essential Editor accounts to lower-privilege roles that cannot reach the vulnerable endpoint.
# Example WAF rule (ModSecurity) to block the vulnerable AJAX branch
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1029851,msg:'Block Booking Package updateUser CVE-2026-9851'"
SecRule ARGS:action "@streq package_app_action" \
"chain"
SecRule ARGS "@rx (?i)updateUser" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
