Vulnerability-Lookup

CNVD-2026-23831

Vulnerability from cnvd - Published: 2026-06-12

Title

WordPress插件6Storage Rentals存在未明漏洞

Description

WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress插件6Storage Rentals存在安全漏洞，该漏洞源于six_storage_get_user_info和six_storage_update_profile AJAX操作中的userId参数缺少所有权验证、会话绑定或nonce验证，攻击者可利用该漏洞通过提供枚举的userId值读取和修改任意租户的个人资料数据，包括姓名、电子邮件地址、电话号码、物理地址和社会安全号码。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.wordfence.com/threat-intel/vulnerabilities/id/74fa4240-6f62-4db6-b7e7-56998fc29e42?source=cve

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-9185

Impacted products

Name
WordPress 6 Storage Rentals <=2.22.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-9185",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-9185"
    }
  },
  "description": "WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u5728\u57fa\u4e8ePHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u7684\u529f\u80fd\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\n\nWordPress\u63d2\u4ef66Storage Rentals\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8esix_storage_get_user_info\u548csix_storage_update_profile AJAX\u64cd\u4f5c\u4e2d\u7684userId\u53c2\u6570\u7f3a\u5c11\u6240\u6709\u6743\u9a8c\u8bc1\u3001\u4f1a\u8bdd\u7ed1\u5b9a\u6216nonce\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u63d0\u4f9b\u679a\u4e3e\u7684userId\u503c\u8bfb\u53d6\u548c\u4fee\u6539\u4efb\u610f\u79df\u6237\u7684\u4e2a\u4eba\u8d44\u6599\u6570\u636e\uff0c\u5305\u62ec\u59d3\u540d\u3001\u7535\u5b50\u90ae\u4ef6\u5730\u5740\u3001\u7535\u8bdd\u53f7\u7801\u3001\u7269\u7406\u5730\u5740\u548c\u793e\u4f1a\u5b89\u5168\u53f7\u7801\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.wordfence.com/threat-intel/vulnerabilities/id/74fa4240-6f62-4db6-b7e7-56998fc29e42?source=cve",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-23831",
  "openTime": "2026-06-12",
  "products": {
    "product": "WordPress 6 Storage Rentals \u003c=2.22.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-9185",
  "serverity": "\u9ad8",
  "submitTime": "2026-06-10",
  "title": "WordPress\u63d2\u4ef66Storage Rentals\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2026-9185 (GCVE-0-2026-9185)

Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 15:13

Title

6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter

Summary

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

Wordfence

References

11 references

URL	Tags
https://www.wordfence.com/threat-intel/vulnerabil…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…
https://plugins.trac.wordpress.org/browser/6stora…

Impacted products

1 product

Vendor	Product	Version
sixstorage	6Storage Rentals	Affected: 0 , ≤ 2.22.0 (semver)

Credits

Joy Gilbert

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9185",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T15:01:44.232131Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T15:13:19.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "6Storage Rentals",
          "vendor": "sixstorage",
          "versions": [
            {
              "lessThanOrEqual": "2.22.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joy Gilbert"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST[\u0027userId\u0027]` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants\u0027 profile data \u2014 including name, email address, phone number, physical address, and SSN \u2014 by supplying an enumerated `userId` value in a crafted request to either handler."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T03:41:20.509Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74fa4240-6f62-4db6-b7e7-56998fc29e42?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L998"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L1955"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L11"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L995"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.22.0/inc/Base/Six_Storage_DashboardController.php#L1931"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L998"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L1955"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L11"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L995"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/6storage-rentals/tags/2.20.2/inc/Base/Six_Storage_DashboardController.php#L1931"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-08T15:06:25.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "6Storage Rentals \u003c= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via \u0027userId\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-9185",
    "datePublished": "2026-06-09T03:41:20.509Z",
    "dateReserved": "2026-05-21T14:57:48.503Z",
    "dateUpdated": "2026-06-09T15:13:19.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-23831

CVE-2026-9185 (GCVE-0-2026-9185)

Tags

Sightings

Nomenclature