A vulnerability has been found in masaakitanaka Booking Package Plugin up to 1.7.16 on WordPress and classified as problematic . This issue affects the function Schedule::updateUser of the component AJAX Endpoint . This manipulation of the argument administrator causes authorization bypass. This vulnerability appears as CVE-2026-9851 . The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.