CVE-2026-9576

UNKNOWN 0.0

Fluent Booking < 2.1.2 - Calendar Manager+ Sensitive Information Disclosure via Attendee Export

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

Vendor	unknown
Product	fluent booking
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for unknown fluent booking

Be the first to know when new unknown vulnerabilities affecting unknown fluent booking are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Fluent Booking

0 < 2.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/f28759e0-f15e-4014-b0d1-8b58bf412b49/

Credits

Md Amin Ullah Sheikh WPScan