CVE-2026-9851
The CVE-2026-9851 entry concerns the Booking Package plugin for WordPress (versions up to 1.7.16). The vulnerability arises from a missing capability check in the updateUser branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and Schedule::updateUser() is invo...