CVE-2026-9851: Booking Package WordPress Plugin Privilege Escalation & Account Takeover Vulnerability
The Booking Package plugin for WordPress contains a critical flaw that allows authenticated editors and higher-privileged users to seize control of any WordPress account, including administrator accounts. An attacker with editor-level access can bypass security checks in the plugin's user management functionality to change email addresses and passwords of other users without proper authorization. This effectively enables complete site takeover.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9851 is a privilege escalation vulnerability in the Booking Package WordPress plugin affecting versions up to 1.7.16. The vulnerability exists in the 'updateUser' branch of the package_app_action AJAX endpoint. The endpoint validates only a nonce but fails to check user capabilities before processing requests. Critically, the code dispatcher invokes Schedule::updateUser() with the $administrator parameter hardcoded to 1, which bypasses the only ownership-restriction check within that function. This allows attacker-controlled input to directly specify the target user ID passed to wp_update_user(), enabling arbitrary account modification. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Business impact
A successful exploitation results in full administrative compromise of a WordPress site. An attacker with editor credentials can promote themselves to or assume control of any administrator account, effectively taking ownership of the entire site, its data, plugins, and configurations. This enables data theft, malware injection, defacement, and complete loss of site availability. For organizations using WordPress for critical operations, e-commerce, or content distribution, this represents a catastrophic business continuity risk.
Affected systems
Booking Package plugin for WordPress in all versions up to and including 1.7.16 are affected. The vulnerability requires the attacker to already possess Editor-level access or above, making it a post-authentication exploit. Any WordPress installation using this plugin in the vulnerable version range is at risk if any editor-level account is compromised or if a malicious insider exists within the organization.
Exploitability
This vulnerability has a CVSS 3.1 score of 7.2 (HIGH severity) with a network-accessible vector, low attack complexity, and high-privilege requirement. While exploitation requires the attacker to already hold Editor or Administrator credentials, the barrier to entry can be low if such accounts are compromised through phishing, weak passwords, or other means. The lack of user interaction required and the straightforward nature of the AJAX endpoint make exploitation trivial once credentials are obtained. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Update the Booking Package plugin to a patched version released after 1.7.16. Verify the patched version against the official plugin repository and the vendor's security advisory. Additionally, conduct an immediate audit of all WordPress user accounts for unauthorized modifications (changed email addresses, password resets, unexpected privilege escalations). Restrict editor-level permissions to trusted personnel only and enforce strong password policies for all accounts. Monitor AJAX requests to the package_app_action endpoint for suspicious activity.
Patch guidance
Check the WordPress plugin repository and vendor security advisories for available updates to Booking Package beyond version 1.7.16. Patches typically address the missing capability check by implementing proper authorization validation before invoking the updateUser function. Test patches in a staging environment before production deployment. Verify that the patched version includes capability checks on the updateUser AJAX handler and removes or secures the hardcoded $administrator parameter. After patching, audit all recent user account changes and reset passwords for high-privilege accounts as a precautionary measure.
Detection guidance
Monitor WordPress logs and audit trails for: (1) AJAX POST requests to wp-admin/admin-ajax.php with action=package_app_action and updateUser parameters; (2) wp_update_user() function calls triggered by non-administrative users; (3) unexpected changes to user email addresses or password hashes for administrator accounts; (4) privilege escalation events where lower-privileged users suddenly gain higher roles. Check for suspicious activity in the 7-day window after the CVE publication date (2026-06-06) as a baseline for potential exploitation attempts. Use WordPress security plugins that monitor user modifications and AJAX activity for alerting.
Why prioritize this
Prioritize patching immediately if Booking Package is deployed. This vulnerability enables complete site takeover from a minimally-elevated user position. The combination of high CVSS severity, ease of exploitation once credentials are obtained, and catastrophic business impact (full administrative compromise) makes this a critical remediation priority. Organizations should patch within 48–72 hours if possible.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects: (1) network-accessible attack vector requiring no special network access; (2) low attack complexity—no advanced techniques required; (3) high-privilege requirement—attacker must already have Editor or above access; (4) high impact on confidentiality, integrity, and availability. The score would be even higher (8.0+) if the vulnerability were exploitable by unauthenticated users, but the pre-authentication barrier prevents that classification. Nevertheless, the practical business impact approaches a critical threat level due to the prevalence of compromised editor accounts and the finality of administrator takeover.
Frequently asked questions
Can an attacker exploit this without having any WordPress account?
No. The vulnerability requires the attacker to already possess Editor-level credentials or above. However, editor accounts may be compromised through phishing, credential stuffing, or insider threats, so this should not be underestimated as a practical attack barrier.
If we update Booking Package, do we need to reset all user passwords?
Yes, as a precautionary measure. After patching, conduct an audit of all user accounts created or modified in the 7 days prior to patching. Reset passwords for administrator and high-privilege accounts, and verify that email addresses have not been changed without authorization. Consider forcing a full password reset for all users.
Does this vulnerability affect WordPress sites that don't use the Booking Package plugin?
No. The vulnerability is specific to the Booking Package plugin. If your site does not have this plugin installed, you are not affected by CVE-2026-9851.
Is there a workaround if we can't patch immediately?
Temporarily disable the Booking Package plugin or restrict it to administrator-only access via capability filtering if the plugin supports such configuration. However, patching is the only reliable remediation. Review your editor-level account roster to ensure no unauthorized accounts exist, and enforce strong password policies immediately.
This analysis is provided for informational purposes and should not be construed as legal or compliance advice. Vulnerability details and timelines are based on public disclosures and may change as vendors release additional guidance. Organizations must verify patch availability and compatibility with their specific environment before deploying updates. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Always consult official vendor advisories and security bulletins for definitive guidance. Testing of patches in non-production environments is mandatory before enterprise deployment. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-14772HIGHABB T-MAC Plus Authorization Bypass (CVSS 8.8)
- CVE-2026-41084HIGHApache Airflow Task Instances API Authorization Bypass
- CVE-2026-45281HIGHNextcloud Calendar Authorization Bypass – Patched in 32.0.9 and 33.0.3
- CVE-2026-45743HIGHTermix Authorization Bypass in SSH File Manager
- CVE-2026-46414HIGHMicrosoft UFO WebSocket Authentication Bypass and Role Spoofing
- CVE-2026-7201HIGHProgress Sitefinity Authorization Bypass Allows Cross-User Account Modification
- CVE-2026-10038MEDIUMCharitable WordPress Plugin IDOR Arbitrary Attachment Deletion Vulnerability
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module