CVE-2026-9576
Received Received - Intake

Fluent Booking PII Exposure via Unauthorized Group Export

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: WPScan

Description
The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-9576
EUVD
EUVD-2026-40264

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fluent_booking fluent_booking to 2.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Fluent Booking WordPress plugin, before version 2.1.2, has a vulnerability where it does not verify ownership of the requested group_id before exporting attendee data via the export endpoint.

This flaw allows users with at least the Calendar Manager role to access personally identifiable information (PII) such as names, emails, phone numbers, addresses, and payment details from calendar groups they do not own.

An attacker can exploit this by sending a specific POST request with a valid nonce and an arbitrary group_id to retrieve attendee data.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive personal information including names, emails, phone numbers, addresses, and payment information of attendees.

Users with the Calendar Manager role could exploit this flaw to access data from calendar groups they do not own, potentially leading to privacy breaches and misuse of personal data.

Such exposure of personally identifiable information (PII) can result in identity theft, financial fraud, and damage to the reputation of the affected organization.

Detection Guidance

This vulnerability can be detected by attempting to export attendee data from calendar groups that the user does not own using the export endpoint of the Fluent Booking plugin.

A proof of concept involves sending a specific POST request with a valid nonce and an arbitrary group_id to the export endpoint to check if attendee data is returned without proper ownership verification.

For example, you can use a command like curl to test this:

  • curl -X POST -d 'nonce=VALID_NONCE&group_id=ARBITRARY_GROUP_ID' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=fluent_booking_export_attendees

If the response contains attendee personally identifiable information (PII) such as names, emails, phone numbers, addresses, or payment information for groups you do not own, the vulnerability is present.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Fluent Booking WordPress plugin to version 2.1.2 or later, where the issue has been fixed.

Until the update can be applied, restrict the Calendar Manager role permissions to trusted users only, as users with this role can exploit the vulnerability to access sensitive attendee data.

Additionally, monitor and audit access logs for suspicious export requests to the export endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9576. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart