Security Advisory - Published 2026-06-09 - WordPress plugin

6Storage Rentals CVE-2026-9185: Tenant Data Exposure Self-Check

CVE-2026-9185 affects the 6Storage Rentals WordPress plugin up to and including 2.22.0. The issue is an authorization bypass: unauthenticated AJAX handlers accept a user-controlled tenant identifier and can read or update tenant profile data without proving the requester owns that tenant record.

Data risk: The alert describes exposure of tenant profile fields, including name, email, phone, physical address, and SSN. Treat affected public sites as a privacy and incident-response issue, not just a plugin update.

Who is affected

  • Plugin: 6Storage Rentals, slug 6storage-rentals
  • CVE: CVE-2026-9185
  • Affected versions: 2.22.0 and earlier
  • Plugin directory status: WordPress.org says the plugin was closed on 2026-06-04 pending review
  • Impact: unauthenticated tenant profile read and update risk

10-minute self-check

Step 1: Check whether the plugin is installed

wp plugin list | grep 6storage-rentals
wp plugin get 6storage-rentals --field=version

If it is installed, check whether the site exposes tenant self-service pages or profile update flows.

Step 2: Disable public access until reviewed

wp plugin deactivate 6storage-rentals

If storage rental operations depend on the plugin, put the tenant portal behind a temporary access restriction and review logs before reopening.

Step 3: Review AJAX traffic

Search for calls to the affected tenant profile actions. Keep logs for legal and privacy review if tenant data may have been accessed.

grep -R "six_storage_get_user_info\\|six_storage_update_profile\\|admin-ajax.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -160

Step 4: Check tenant profile changes

  • Tenant names, phone numbers, emails, or physical addresses changed without a support ticket.
  • Multiple tenant records updated from the same IP or user agent.
  • Profile changes outside business hours.
  • Tenant support complaints about changed contact details or account access.

Safe fix path

  1. Deactivate the plugin or restrict the portal. Do not leave the affected AJAX handlers public while reviewing.
  2. Export logs. Preserve web logs and application logs before they rotate.
  3. Review tenant data changes. Compare profile changes against support tickets and legitimate self-service activity.
  4. Notify stakeholders if needed. If SSN or address data may have been exposed, involve legal/privacy owners.
  5. Plan replacement or patched release. Because WordPress.org lists the plugin as closed pending review, do not reinstall an old copy from an untrusted download site.

When to request repair help

Ask for help if the plugin was active on a tenant portal, logs show unauthenticated profile action calls, or tenant records changed without a clear reason. Start from Ping7 CVE repair and include the plugin version, portal URL, and whether SSN fields were stored.

References