Description
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the SixStorage Rentals WordPress plugin allows attackers to bypass authorization by using the userId parameter in AJAX requests. Because the wp_ajax_nopriv_* hooks accept the tenant identifier directly from the request without verifying ownership, an unauthenticated user can retrieve or change any tenant’s personal information—including name, email, phone number, address, and Social Security Number. This flaw, classified as CWE‑639, results in a direct compromise of confidentiality, integrity, and potentially the privacy of all users under the affected tenancy.

Affected Systems

Any WordPress site running the SixStorage Rentals plugin version 2.22.0 or earlier is at risk. The plugin must be identified via its name and version and updated or removed to mitigate the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the lack of authentication checks means the attack vector is remote with minimal user interaction. While the EPSS score is unavailable, the vulnerability remains notable because it can be exploited by anyone capable of sending crafted AJAX requests to the plugin’s endpoints, allowing broad exposure of sensitive user data. The vulnerability is not yet listed in the CISA KEV catalog, but its potential impact warrants immediate attention.

Generated by OpenCVE AI on June 9, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SixStorage Rentals to the latest version that removes the insecure AJAX hooks or patches the code to require authentication before processing userId.
  • If an immediate upgrade is not possible, modify the plugin to delete the wp_ajax_nopriv_* registrations or add capability checks so the AJAX handlers run only for authenticated users.
  • Add nonce validation and enforce owner verification for the userId parameter in the six_storage_get_user_info and six_storage_update_profile functions to prevent unauthorized access.
  • Implement application‑level controls such as a web‑application firewall rule to block or rate‑limit requests to the affected AJAX endpoints from unauthenticated sources.

Generated by OpenCVE AI on June 9, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Sixstorage
Sixstorage 6storage Rentals
Wordpress
Wordpress wordpress
Vendors & Products Sixstorage
Sixstorage 6storage Rentals
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.
Title 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Sixstorage 6storage Rentals
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T15:13:19.602Z

Reserved: 2026-05-21T14:57:48.503Z

Link: CVE-2026-9185

cve-icon Vulnrichment

Updated: 2026-06-09T15:01:48.145Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:41.213

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-9185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:06Z

Weaknesses