CVE-2026-9576
Fluent Booking < 2.1.2 - Calendar Manager+ Sensitive Information Disclosure via Attendee Export
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 4.9EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Affected products
Unknown · Fluent Bookingpublic PoCs found — 1
cve_referencewpscan.com/vulnerability/f28759e0-f15e-4014-b0d1-8b58bf412b49/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.