CYBERHAWK / CVE / CVE-2026-9851

CVE-2026-9851

HIGH CVSS 7.2 other

The flaw

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJA

What to do

Review advisory and patch per vendor guidance.

▸ Scan my repo for CVE-2026-9851

References

NVD CISA KEV OSV GitHub Advisory MITRE News search

First seen 2026-06-12 · Tracked by PickBits CyberHawk · Weekly CVE digest

← All CVEs RSS Scheduled audits