Fluent Booking
Monthly
Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.
Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.