A privilege escalation vulnerability in the Booking Package WordPress plugin, tracked as CVE-2026-9851 (CVSS 7.2), allows attackers to take over user accounts — including administrator accounts — through a missing capability check on the updateUser AJAX endpoint. All versions up to and including 1.7.16 are affected.
What Is the Vulnerability?
CVE-2026-9851 is an authorization bypass vulnerability (CWE-639) in the package_app_action AJAX endpoint. The updateUser branch of this endpoint validates only a nonce — it does not check whether the requesting user has the capability to modify user accounts. Since the nonce is typically available in the page source of any frontend page, an unauthenticated attacker who extracts it can send requests to modify arbitrary user account details, including passwords. This enables account takeover of any registered user, including administrators.
- CVSS v3.1 Score: 7.2 (High)
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
Which Versions Are Affected?
- Booking Package: all versions up to and including 1.7.16
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed. The pattern — AJAX endpoint with nonce-only protection and no capability check — is commonly targeted.
What Is the Fix?
Update Booking Package to a version beyond 1.7.16. The fix adds proper capability checks to the updateUser endpoint.
Recommendations
Update Booking Package immediately. The missing capability check on user modification is a classic privilege escalation pattern that enables full account takeover.
Audit user accounts. After updating, check for unexpected changes to user passwords or email addresses. Review the WordPress activity log for unusual user modification events.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 7, 2026.
