CVE 4.9 MEDIUM

Fluent Booking < 2.1.2 - Calendar Manager+ Sensitive Information Disclosure via Attendee Export_CVE-2026-9576

4.9 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

Basic Information

ID CVE-2026-9576
Source WPScan
Published Jun 30, 2026 at 06:00
Modified Jun 30, 2026 at 12:56

Affected Product

Vendor Unknown
Product Fluent Booking
Affected Versions Unknown Fluent Booking 0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.