Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Network-accessible endpoint; requires Calendar Manager role (PR:H); only confidentiality is impacted via PII/payment data exfiltration; no integrity or availability effect.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.
AnalysisAI
Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at least the Calendar Manager role assigned on the target installation - lower-privilege roles (Subscriber, Contributor, Author, Editor) and unauthenticated users cannot exploit this flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) accurately reflects the network accessibility and zero user-interaction requirement but is tempered significantly by the PR:H prerequisite - exploitation requires an account with at least the Calendar Manager role on the target WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor who holds a Calendar Manager account on a shared WordPress site - whether obtained via credential compromise, insider threat, or provisioned as part of a legitimate but scoped engagement - sends a crafted GET or POST request to the Fluent Booking export endpoint, substituting an integer group_id belonging to a calendar group they do not manage. Because no ownership check is performed server-side, the plugin returns a full export of that group's attendee records including names, emails, phone numbers, addresses, and payment data. … |
| Remediation | Update the Fluent Booking WordPress plugin to version 2.1.2 or later, which introduces server-side ownership verification on the group_id parameter before returning export data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40264
GHSA-fvjp-rchx-7wr5