WordPress Plugin Vulnerabilities

Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution < 1.10.0 - Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management

Description

The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them.

Affects Plugins

Plugin icon
fluent-booking
Fixed in 1.10.0

References

CVE
CVE-2025-13756
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7860dfa8-de76-4ca3-bd80-98550afab56b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No
WPVDB ID
1dcb3887-ac28-4c1b-b41d-b90934d4269c

Timeline

Publicly Published
2025-12-03 (about 5 months ago)
Added
2025-12-03 (about 5 months ago)
Last Updated
2025-12-03 (about 5 months ago)

Other

Published
Title
Published
2025-06-05
Title
Direct Checkout for WooCommerce Lite <= 1.0.3 - Missing Authorization
Published
2025-04-04
Title
TableOn – WordPress Posts Table Filterable <= 1.0.4 - Missing Authorization
Published
2025-09-22
Title
WP Compress < 6.50.55 - Missing Authorization
Published
2024-12-09
Title
WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation
Published
2025-11-03
Title
Import Export For WooCommerce <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update