CVE-2026-9185
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0. The issue arises from the lack of ownership verification and session binding in the AJAX handling functions, allowing access to other users' profile data.
Risk Assessment
Unauthenticated attackers can read and modify arbitrary tenants' profile data, posing a serious threat to the privacy and security of personal information.
Recommendation
It is recommended to update the plugin to the latest version and implement additional verification mechanisms, such as ownership verification and nonce validation.
Original NVD description (English source)
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.

