CVE Catalog

CVE-2026-9185

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.08%

23th percentile - higher than 23% of all known CVEs

Summary

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0. The issue arises from the lack of ownership verification and session binding in the AJAX handling functions, allowing access to other users' profile data.

Risk Assessment

Unauthenticated attackers can read and modify arbitrary tenants' profile data, posing a serious threat to the privacy and security of personal information.

Recommendation

It is recommended to update the plugin to the latest version and implement additional verification mechanisms, such as ownership verification and nonce validation.

Original NVD description (English source)

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS