CVE-2026-9851 | masaakitanaka Booking Package Plugin up to 1.7.16 on WordPress AJAX Endpoint Schedule::updateUser administrator authorization

A vulnerability has been found in masaakitanaka Booking Package Plugin up to 1.7.16 on WordPress and classified as problematic. This issue affects the function Schedule::updateUser of the component AJAX Endpoint. This manipulation of the argument administrator causes authorization bypass.

This vulnerability appears as CVE-2026-9851. The attack may be initiated remotely. There is no available exploit.

The affected component should be upgraded.VulDB Recent EntriesRead More