CVE-2026-9185

Name of the Vulnerable Software and Affected Versions 6Storage Rentals versions prior to 2.22.1

Description An authorization bypass exists in the 6Storage Rentals plugin for WordPress. Unauthenticated attackers can read and modify arbitrary tenant profile data, including names, email addresses, phone numbers, physical addresses, and Social Security Numbers (SSN). This occurs because the six storage getUserInfo() and six storage updateProfile() functions are registered on wp ajax nopriv * hooks and accept a tenant identifier via the userId parameter in the 'six storage get user info' and 'six storage update profile' AJAX actions without performing ownership verification, session binding, or nonce validation. This allows the use of an enumerated userId value in crafted requests to access or alter data.

Recommendations Update the plugin to a version later than 2.22.0. As a temporary mitigation, restrict access to the 'six storage get user info' and 'six storage update profile' AJAX actions or avoid using the userId parameter in these endpoints until the update is applied.