Skip to main content

Fluent Booking CVE-2026-9576

| EUVDEUVD-2026-40264 MEDIUM
2026-06-30 WPScan GHSA-fvjp-rchx-7wr5
4.9
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Network-accessible endpoint; requires Calendar Manager role (PR:H); only confidentiality is impacted via PII/payment data exfiltration; no integrity or availability effect.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 30, 2026 - 13:24 vuln.today
CVSS changed
Jun 30, 2026 - 13:22 NVD
4.9 (MEDIUM)
Patch available
Jun 30, 2026 - 08:01 EUVD
CVE Published
Jun 30, 2026 - 06:00 cve.org
MEDIUM 4.9
CVE Published
Jun 30, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

AnalysisAI

Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise Calendar Manager credentials
Delivery
Authenticate to target WordPress site
Exploit
Enumerate valid group_ids via export endpoint
Execution
Submit export request with unowned group_id
Impact
Receive full attendee PII and payment data export

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at least the Calendar Manager role assigned on the target installation - lower-privilege roles (Subscriber, Contributor, Author, Editor) and unauthenticated users cannot exploit this flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) accurately reflects the network accessibility and zero user-interaction requirement but is tempered significantly by the PR:H prerequisite - exploitation requires an account with at least the Calendar Manager role on the target WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor who holds a Calendar Manager account on a shared WordPress site - whether obtained via credential compromise, insider threat, or provisioned as part of a legitimate but scoped engagement - sends a crafted GET or POST request to the Fluent Booking export endpoint, substituting an integer group_id belonging to a calendar group they do not manage. Because no ownership check is performed server-side, the plugin returns a full export of that group's attendee records including names, emails, phone numbers, addresses, and payment data. …
Remediation Update the Fluent Booking WordPress plugin to version 2.1.2 or later, which introduces server-side ownership verification on the group_id parameter before returning export data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy