CVE-2026-9185
6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data โ including name, email address, phone number, physical address, and SSN โ by supplying an enumerated `userId` value in a crafted request to either handler.
| CWE | CWE-639 |
| Vendor | sixstorage |
| Product | 6storage rentals |
| Published | Jun 9, 2026 |
| Last Updated | Jun 9, 2026 |
Get instant alerts for sixstorage 6storage rentals
Be the first to know when new high vulnerabilities affecting sixstorage 6storage rentals are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N