4.9
/ 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Description
The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.
Basic Information
ID
CVE-2026-9576
Source
WPScan
Published
Jun 30, 2026 at 06:00
Modified
Jun 30, 2026 at 12:56
Affected Product
Vendor
Unknown
Product
Fluent Booking
Affected Versions
Unknown Fluent Booking 0