CVE-2026-9576 | The Fluent Booking WordPress plugin before 2.1.2 does not v…

Description

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

Metadata

CVE ID: CVE-2026-9576
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-26 12:45 UTC
Published: 2026-06-30 06:00 UTC
Last updated: 2026-06-30 06:00 UTC
Vendor / Product: Unknown / Fluent Booking
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Fluent Booking	—	0 < 2.1.2

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-200 Information Exposure

References (1)

https://wpscan.com/vulnerability/f28759e0-f15e-4014-b0d1-8b58bf412b49/