CVE-2026-9851: 
WordPress Analisi e mitigazione delle vulnerabilità

CVE-2026-9851 is a Privilege Escalation via Account Takeover vulnerability in the Booking Package plugin for WordPress, affecting versions up to and including 1.7.16. The flaw allows authenticated attackers with Editor-level access or above to change the email address and password of any WordPress account, including Administrator accounts, resulting in full site takeover. It was published on June 6, 2026, and assigned a CVSS v3.1 base score of 7.2 (High) (GitHub Advisory, Wordfence). The CVE status is currently listed as "Deferred" in the Feedly intelligence feed.

The root cause is a missing capability check (CWE-639: Authorization Bypass Through User-Controlled Key) on the updateUser branch of the package_app_action AJAX endpoint in the plugin. The handler only validates a WordPress nonce but does not verify whether the requesting user has administrative privileges; the dispatcher calls Schedule::updateUser() with the $administrator argument hard-coded to 1, which bypasses the sole owner-restriction check inside that function (GitHub Advisory, Wordfence). The target user is determined entirely by attacker-supplied input, which is passed directly to WordPress's wp_update_user() function, enabling arbitrary account modification. The vulnerable code paths are visible in the plugin source at index.php#L4416, index.php#L4477, and lib/Schedule.php#L868 in version 1.7.13 (WordPress Trac).

Successful exploitation allows an authenticated attacker with Editor-level (or higher) access to modify the email address and password of any WordPress user account, including site Administrators, resulting in complete site takeover. The confidentiality, integrity, and availability impacts are all rated High, as an attacker who seizes an Administrator account gains full control over site content, user data, installed plugins, and server-side configurations (GitHub Advisory, Wordfence). This could further enable lateral movement within hosting environments or lead to data exfiltration and malware installation.

1. Reconnaissance: Identify WordPress sites running the Booking Package plugin at version 1.7.16 or earlier using tools like WPScan or by inspecting plugin metadata in publicly accessible readme.txt files.
2. Obtain Editor-level access: Authenticate to the target WordPress site using a compromised or legitimately obtained Editor (or higher) account.
3. Retrieve a valid nonce: Load any WordPress page that includes the plugin's AJAX nonce (e.g., a booking management page), and extract the nonce value from the page source or network traffic.
4. Craft malicious AJAX request: Send a POST request to wp-admin/admin-ajax.php with the action set to package_app_action, the branch parameter set to updateUser, the valid nonce, and attacker-supplied user ID and new email/password values targeting the Administrator account.
5. Account takeover: The server invokes Schedule::updateUser() with $administrator hard-coded to 1, bypassing the owner check, and calls wp_update_user() with the attacker's supplied data — changing the Administrator's credentials.
6. Full site takeover: Log in as the Administrator using the newly set credentials to gain complete control of the WordPress site (GitHub Advisory, Wordfence).

• Network: Unusual POST requests to wp-admin/admin-ajax.php with action=package_app_action and a branch parameter of updateUser originating from non-administrative user sessions.
• Logs: WordPress access logs showing repeated AJAX calls to admin-ajax.php with package_app_action from Editor-level accounts; authentication logs showing Administrator account login from unfamiliar IP addresses shortly after such requests.
• Application Events: WordPress user modification events (e.g., profile_update hook triggers) for Administrator accounts initiated by non-Administrator users; unexpected changes to Administrator email addresses recorded in the WordPress database (wp_users and wp_usermeta tables).
• File System: New or modified plugin files in the booking-package directory that may indicate post-compromise tampering; unexpected new administrator accounts or changes to existing ones visible in wp_users.

Update the Booking Package plugin to version 1.7.17 or later, which contains the patch addressing the missing capability check (Wordfence, WordPress Trac Changeset). If immediate updating is not possible, restrict Editor-level and higher user access to trusted individuals only, and consider temporarily deactivating the Booking Package plugin. Monitor WordPress user accounts for unauthorized email or password changes, particularly on Administrator accounts, and enable two-factor authentication for all privileged accounts as an additional safeguard.

Wordfence published the vulnerability in their threat intelligence database and included it in their weekly WordPress vulnerability report for June 1–7, 2026 (Wordfence Blog). The vulnerability was also referenced in a CISA vulnerability bulletin for the week of June 1, 2026 (CISA Bulletin). Social media activity was limited, with brief mentions on Bluesky and Mastodon/infosec.exchange from automated CVE tracking accounts, indicating low community alarm consistent with the absence of active exploitation.