cleantalk
Vulnerabilities and Security Researches

Booking Package, CVE-2026-9851

CVE, Research URL

CVE-2026-9851

Home page URL

Security reports for Booking Package

Application

Booking Package

Published on
Jun 06, 2026
Research Description
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
Affected versions
max 1.7.17.
Status
vulnerable
Previous vulnerability researches
Booking Package (CVE-2026-40774) , May 02, 2026
Booking Package (CVE-2024-13508) , Feb 20, 2025
Booking Package (CVE-2026-9851) , Jun 07, 2026
Booking Package (CVE-2026-4911) , Apr 29, 2026
Booking Package (CVE-2021-20840) , Jun 06, 2024
New vulnerability
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2026-48965) , Jun 07, 2026
WP User Manager – User Profile Builder & Membership (CVE-2026-9290) , Jun 07, 2026
Page-list (CVE-2026-9008) , Jun 07, 2026
MDJM Event Management (CVE-2026-7537) , Jun 07, 2026
Stripe Express (CVE-2026-8893) , Jun 07, 2026