← back
CVE-2026-9576

Fluent Booking < 2.1.2 - Calendar Manager+ Sensitive Information Disclosure via Attendee Export

CVSS 4.9 MEDIUMEPSS 0.2%
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 4.9EPSS 0.2%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Affected products
Unknown · Fluent Booking
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.