HIGH 7.5

CVE-2026-9185: 6Storage Rentals Plugin Authorization Bypass—Unauthenticated Tenant Data Access

The 6Storage Rentals WordPress plugin contains an authorization flaw that allows unauthenticated attackers to access and modify sensitive tenant information without permission. By sending a simple web request with a guessed tenant ID number, an attacker can read or change names, email addresses, phone numbers, physical addresses, and social security numbers belonging to any tenant in the system. The vulnerability exists in two plugin functions that were incorrectly exposed to unauthenticated users and fail to verify that the requester actually owns the account they're trying to access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The 6Storage Rentals plugin registers the `six_storage_get_user_info` and `six_storage_update_profile` AJAX handlers on `wp_ajax_nopriv_*` hooks, making them accessible without WordPress authentication. The underlying functions—`six_storage_getUserInfo()` and `six_storage_updateProfile()`—accept a user identifier directly from the `userId` POST parameter without performing ownership verification, nonce validation, or session binding. An attacker can enumerate tenant IDs and construct POST requests to retrieve profile data via the read handler or modify it via the update handler, bypassing all authorization controls. The vulnerability affects all versions up to and including 2.22.0.

Business impact

Organizations running the 6Storage Rentals plugin face immediate data breach risk affecting tenant privacy and compliance obligations. Attackers can harvest PII including SSNs and physical addresses at scale, creating liability under GDPR, CCPA, and other data protection frameworks. The ability to modify tenant records introduces secondary risks: fraudulent address changes, email takeovers, and potential identity theft. Tenant confidence and brand reputation are directly threatened, and breach notification costs could be substantial depending on tenant volume.

Affected systems

Any WordPress site running the 6Storage Rentals plugin in versions 2.22.0 or earlier is vulnerable. The plugin exposes the vulnerability to unauthenticated remote attackers over the network; no special access or user interaction is required. The attack surface is broad because the vulnerable AJAX handlers are reachable by any HTTP client that can reach the WordPress installation.

Exploitability

This vulnerability has a low bar to exploitation. It requires no authentication, no user interaction, no special conditions, and straightforward HTTP POST requests. An attacker with basic web skills can craft requests using standard tools. The main operational hurdle is enumerating valid tenant IDs, which is typically achievable through incremental guessing or by observing ID patterns in public-facing content. The HIGH CVSS score (7.5) reflects this ease of access combined with confidentiality impact; integrity is not scored because the attacker cannot delete or destroy data, only read and modify existing records.

Remediation

The plugin maintainers must immediately implement ownership verification logic: verify that the requesting user either owns the tenant ID in question or has administrative authority to modify it. Implement WordPress nonces on all AJAX handlers and validate them server-side. Remove these functions from the `wp_ajax_nopriv_*` hooks unless there is a legitimate reason for unauthenticated access—if that access is necessary, it must be paired with a time-limited token or similar mechanism tied to the specific user making the request. Upgrade to a patched version as soon as the vendor releases one.

Patch guidance

Check the 6Storage Rentals plugin repository or vendor website for version 2.22.1 or later. Verify the release notes confirm that authorization checks and nonce validation have been added to the `six_storage_get_user_info` and `six_storage_update_profile` handlers. Test the patched version in a staging environment to ensure tenant profile operations remain functional before deploying to production. If no patch is available, disable the plugin immediately and evaluate alternative solutions.

Detection guidance

Monitor WordPress logs and web server access logs for POST requests to `/wp-admin/admin-ajax.php` with `action=six_storage_get_user_info` or `action=six_storage_update_profile` originating from unexpected IP addresses or at unusual times. Log any requests containing `userId` parameters with values that do not match the currently authenticated user. Implement rate limiting on these AJAX endpoints to raise the cost of enumeration attacks. Consider deploying a WAF rule to block unauthenticated AJAX requests to these specific handlers until patching is complete.

Why prioritize this

HIGH priority remediation is warranted. The vulnerability allows unauthenticated read and modification of sensitive PII at scale with trivial exploitation complexity. Organizations with active tenants face immediate data breach and regulatory compliance risk. The absence of any exploitation difficulty or user interaction requirement elevates urgency beyond typical medium-severity issues. Patch and deploy immediately.

Risk score, explained

CVSS 7.5 reflects a network-accessible vulnerability with no authentication or user interaction required, resulting in high confidentiality impact (an attacker can read arbitrary tenant records). The integrity impact is not scored as high because the attacker modifies data within the existing data model rather than destroying or exfiltrating it; however, the ability to change PII is still a serious integrity concern. The score does not account for business context (regulatory obligations, tenant scale), so organizations with large tenant bases or strict compliance requirements should treat this as business-critical.

Frequently asked questions

Do I need to be a WordPress administrator to exploit this?

No. This is an unauthenticated vulnerability. An attacker does not need any WordPress user account, administrative privilege, or valid credentials. Any HTTP client can send a POST request to the vulnerable AJAX handlers.

How would an attacker know which tenant IDs to target?

Tenant IDs are often sequential integers (1, 2, 3, etc.) or follow predictable patterns. An attacker can enumerate them rapidly without triggering account lockouts or alerts, especially if the plugin does not rate-limit AJAX requests. In some cases, valid IDs may be exposed in public pages, email headers, or other artifacts.

Can the attacker delete or destroy tenant data?

The vulnerability allows reading and modifying existing profile fields (name, email, address, SSN). It does not permit deletion of records or broader database manipulation based on the description. However, the ability to change SSN or address is a serious integrity breach and can facilitate fraud or identity theft.

What is the difference between 'read' and 'update' handlers, and do I need to patch both?

The `six_storage_get_user_info` handler allows reading any tenant's data; the `six_storage_update_profile` handler allows modifying it. Both are vulnerable and must be patched. A complete fix requires authorization verification in both functions.

This analysis is provided for informational and defensive purposes. It is based on the published CVE description and CVSS vector as of the modification date. Actual patch availability, vendor timelines, and version numbers should be verified directly with the plugin maintainers or WordPress plugin repository. Organizations are responsible for assessing the risk in their own environment and determining appropriate remediation timelines. This guidance does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).