[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWwVX-RsTt8wyQCriTl-hmjDQrZeXdF48saSkzZq9aFc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":25,"research_started_at":26,"research_completed_at":27,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":28},"CVE-2026-9185","6storage-rentals-unauthenticated-insecure-direct-object-reference-to-arbitrary-user-disclosure-and-modification-via-user","6Storage Rentals \u003C= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter","The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.","6storage-rentals",null,"\u003C=2.22.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-08 15:06:25","2026-06-09 03:41:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F74fa4240-6f62-4db6-b7e7-56998fc29e42?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for the functional exploitation of specific vulnerabilities. For information on securing WordPress plugins against Insecure Direct Object Reference (IDOR) and authorization bypass, you may search for WordPress security best practices regarding the proper use of the `check_ajax_referer()` and `current_user_can()` functions within AJAX and REST API handlers.","The 6Storage Rentals plugin for WordPress (up to version 2.22.0) is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) flaw in its AJAX handlers. By manipulating the 'userId' parameter in requests to the 'six_storage_get_user_info' and 'six_storage_update_profile' actions, attackers can access or modify sensitive tenant data, including SSNs and contact information, without authentication.","gemini-3-flash-preview","2026-06-26 02:08:59","2026-06-26 02:09:28",{"type":29,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":30},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002F6storage-rentals\u002Ftags"]