Privilege Escalation in Booking Package Plugin for WordPress
CVE-2026-9851

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
6 June 2026

What is CVE-2026-9851?

The Booking Package plugin for WordPress contains a critical vulnerability that allows authenticated users with Editor-level access or higher to escalate their privileges. Due to a lack of proper capability checks on the AJAX endpoint, specifically in the updateUser function, users can bypass security measures to change email addresses and passwords of any WordPress accounts, including those of Administrators. This flaw stems from insufficient validation of user inputs, enabling malicious actors to achieve full site control without proper authorization.

Affected Version(s)

Booking Package 0 <= 1.7.16

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Md. Moniruzzaman Prodhan
.