Description
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
Published: 2026-06-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Booking Package WordPress plugin contains a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint. Only a nonce is validated, and the dispatcher calls Schedule::updateUser() with the administrator argument hard‑coded to 1. This bypasses the function’s owner‑restriction logic and allows an attacker to supply any user ID to wp_update_user(). This flaw, a classic example of CWE-639, gives authenticated users with Editor level access or higher the ability to change the email address or password of any account, including Site Administrators, effectively taking over the entire site. The flare is a privilege escalation that results in full control over the WordPress installation.

Affected Systems

This vulnerability affects the Booking Package plugin for WordPress, specifically all versions up to and including 1.7.16. Users running this plugin on any WordPress site are at risk if they have been granted Editor or higher level permissions.

Risk and Exploitability

The flaw carries a CVSS score of 7.2, indicating a high severity. Although no EPSS score is available, the vulnerability is well known and has been reported in multiple public advisories, suggesting it is likely to be exploited by attackers who already have authenticated access. The attack vector is via a web interface: an authenticated user can trigger the vulnerable AJAX action. Because the risk includes full site takeover and the vulnerability is not mitigated by current role restrictions, the risk level remains high and warrants immediate action.

Generated by OpenCVE AI on June 6, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking Package plugin to version 1.7.17 or later, which removes the missing capability check on the updateUser action.
  • If an immediate update is not possible, temporarily restrict Editor and higher level users from accessing the affected AJAX endpoint by applying a custom WordPress capability filter or by disabling the updateUser action via a security plugin.
  • After applying the update or restriction, review all user accounts to ensure no unauthorized changes were made and monitor for any suspicious activity.

Generated by OpenCVE AI on June 6, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Masaakitanaka
Masaakitanaka booking Package
Wordpress
Wordpress wordpress
Vendors & Products Masaakitanaka
Masaakitanaka booking Package
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
Title Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Masaakitanaka Booking Package
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:41:39.564Z

Reserved: 2026-05-28T14:49:39.596Z

Link: CVE-2026-9851

cve-icon Vulnrichment

Updated: 2026-06-06T11:41:34.405Z

cve-icon NVD

Status : Received

Published: 2026-06-06T05:16:30.047

Modified: 2026-06-06T05:16:30.047

Link: CVE-2026-9851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T07:00:14Z

Weaknesses