Security Advisory - Published 2026-06-09 - WordPress plugin
6Storage Rentals CVE-2026-9185: Tenant Data Exposure Self-Check
CVE-2026-9185 affects the 6Storage Rentals WordPress plugin up to and including 2.22.0. The issue is an authorization bypass: unauthenticated AJAX handlers accept a user-controlled tenant identifier and can read or update tenant profile data without proving the requester owns that tenant record.
Who is affected
- Plugin: 6Storage Rentals, slug
6storage-rentals - CVE: CVE-2026-9185
- Affected versions: 2.22.0 and earlier
- Plugin directory status: WordPress.org says the plugin was closed on 2026-06-04 pending review
- Impact: unauthenticated tenant profile read and update risk
10-minute self-check
Step 1: Check whether the plugin is installed
wp plugin list | grep 6storage-rentals
wp plugin get 6storage-rentals --field=version If it is installed, check whether the site exposes tenant self-service pages or profile update flows.
Step 2: Disable public access until reviewed
wp plugin deactivate 6storage-rentals If storage rental operations depend on the plugin, put the tenant portal behind a temporary access restriction and review logs before reopening.
Step 3: Review AJAX traffic
Search for calls to the affected tenant profile actions. Keep logs for legal and privacy review if tenant data may have been accessed.
grep -R "six_storage_get_user_info\\|six_storage_update_profile\\|admin-ajax.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -160 Step 4: Check tenant profile changes
- Tenant names, phone numbers, emails, or physical addresses changed without a support ticket.
- Multiple tenant records updated from the same IP or user agent.
- Profile changes outside business hours.
- Tenant support complaints about changed contact details or account access.
Safe fix path
- Deactivate the plugin or restrict the portal. Do not leave the affected AJAX handlers public while reviewing.
- Export logs. Preserve web logs and application logs before they rotate.
- Review tenant data changes. Compare profile changes against support tickets and legitimate self-service activity.
- Notify stakeholders if needed. If SSN or address data may have been exposed, involve legal/privacy owners.
- Plan replacement or patched release. Because WordPress.org lists the plugin as closed pending review, do not reinstall an old copy from an untrusted download site.
When to request repair help
Ask for help if the plugin was active on a tenant portal, logs show unauthenticated profile action calls, or tenant records changed without a clear reason. Start from Ping7 CVE repair and include the plugin version, portal URL, and whether SSN fields were stored.