Privilege Escalation in Booking Package Plugin for WordPress
CVE-2026-9851
7.2HIGH
What is CVE-2026-9851?
The Booking Package plugin for WordPress contains a critical vulnerability that allows authenticated users with Editor-level access or higher to escalate their privileges. Due to a lack of proper capability checks on the AJAX endpoint, specifically in the updateUser function, users can bypass security measures to change email addresses and passwords of any WordPress accounts, including those of Administrators. This flaw stems from insufficient validation of user inputs, enabling malicious actors to achieve full site control without proper authorization.
Affected Version(s)
Booking Package 0 <= 1.7.16