CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

Overview

A high-severity privilege escalation vulnerability has been discovered in the Booking Package plugin for WordPress, assigned CVE-2026-9851. The flaw enables attackers to perform an account takeover against any WordPress user account due to a missing authorization check on an AJAX endpoint handler.

The vulnerability was published to the NVD on June 6, 2026, with a CVSS v3 base score of 7.2 (High).

Technical Details

The vulnerability exists in the package_app_action AJAX endpoint. Specifically, the updateUser branch of this endpoint lacks proper capability verification — it only validates a nonce without confirming the requester has the authority to modify the target user account.

An attacker who can obtain or predict a valid nonce can send a crafted AJAX request to alter another user's account data, effectively taking control of that account — including administrator accounts.

Detail	Value
CVE ID	CVE-2026-9851
CVSS Score	7.2 (High)
Attack Vector	Network
Authentication Required	Low (nonce-only validation)
Affected Versions	≤ 1.7.16
Vulnerable Endpoint	`package_app_action` AJAX (`updateUser` branch)
Root Cause	Missing capability check

Impact

Exploitation of CVE-2026-9851 could allow an attacker to:

Take over any WordPress user account, including administrator accounts
Modify user credentials, email addresses, or roles
Install malicious plugins or themes once administrative access is obtained
Exfiltrate customer booking data or personal information
Establish persistent access to the affected WordPress installation

Affected Software

Plugin: Booking Package for WordPress
Affected versions: All versions up to and including 1.7.16
Platform: WordPress

Remediation

Administrators using the Booking Package plugin should:

Update immediately to the latest patched version of the plugin
Audit WordPress user accounts for unauthorized changes to roles, email addresses, or passwords
Review recent AJAX request logs for suspicious package_app_action calls
Rotate administrator credentials if account compromise is suspected
Enable two-factor authentication on all privileged accounts as a defense-in-depth measure
Deploy a WAF capable of detecting WordPress AJAX endpoint abuse

If no patch is available, disable the plugin until an update is released.

References

Overview

The vulnerability was published to the NVD on June 6, 2026, with a CVSS v3 base score of 7.2 (High).

Technical Details

Detail	Value
CVE ID	CVE-2026-9851
CVSS Score	7.2 (High)
Attack Vector	Network
Authentication Required	Low (nonce-only validation)
Affected Versions	≤ 1.7.16
Vulnerable Endpoint	`package_app_action` AJAX (`updateUser` branch)
Root Cause	Missing capability check

Impact

Exploitation of CVE-2026-9851 could allow an attacker to:

Take over any WordPress user account, including administrator accounts

Modify user credentials, email addresses, or roles

Install malicious plugins or themes once administrative access is obtained

Exfiltrate customer booking data or personal information

Establish persistent access to the affected WordPress installation

Remediation

Administrators using the Booking Package plugin should:

Update immediately to the latest patched version of the plugin

Audit WordPress user accounts for unauthorized changes to roles, email addresses, or passwords

Review recent AJAX request logs for suspicious package_app_action calls

Rotate administrator credentials if account compromise is suspected

Enable two-factor authentication on all privileged accounts as a defense-in-depth measure

Deploy a WAF capable of detecting WordPress AJAX endpoint abuse

If no patch is available, disable the plugin until an update is released.

Affected Products

Overview

Technical Details

Impact

Affected Software

Remediation

References

CVE-2026-8206: Kirki WordPress Plugin Critical Privilege Escalation via Account Takeover

CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

CVE-2026-7459: WordPress Simple History Plugin Account Takeover

CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

Affected Products

Overview

Technical Details

Impact

Affected Software

Remediation

References

CVE-2026-8206: Kirki WordPress Plugin Critical Privilege Escalation via Account Takeover

CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

CVE-2026-7459: WordPress Simple History Plugin Account Takeover