Skip to main content
CVE Vulnerability Database

CVE-2026-9576: Fluent Booking Information Disclosure

CVE-2026-9576 is an information disclosure flaw in Fluent Booking WordPress plugin that allows Calendar Managers to access PII from calendar groups they don't own. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-9576 Overview

CVE-2026-9576 affects the Fluent Booking WordPress plugin in versions before 2.1.2. The plugin fails to verify ownership of the requested group_id parameter before exporting attendee data through the export endpoint. Users assigned the Calendar Manager role can retrieve attendee personally identifiable information (PII) from calendar groups they do not own. Exposed data includes names, email addresses, phone numbers, physical addresses, and payment information. This is an Insecure Direct Object Reference (IDOR) flaw enabling horizontal privilege escalation across tenants within the same WordPress installation.

Critical Impact

Authenticated Calendar Manager users can export PII and payment details from calendar groups belonging to other users, violating tenant isolation on multi-user booking installations.

Affected Products

  • Fluent Booking WordPress plugin versions prior to 2.1.2
  • WordPress sites using Fluent Booking with multiple Calendar Manager accounts
  • Multi-tenant booking deployments relying on the plugin for data isolation

Discovery Timeline

  • 2026-06-30 - CVE-2026-9576 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-9576

Vulnerability Analysis

The Fluent Booking plugin exposes an export endpoint that accepts a group_id parameter and returns attendee records for the specified calendar group. The endpoint enforces role-based access, requiring the caller to hold at least the Calendar Manager role. However, it does not check whether the authenticated user owns the calendar group identified by group_id.

An attacker holding a Calendar Manager account can iterate group_id values and export attendee datasets from calendars owned by other users. Returned records include names, email addresses, phone numbers, postal addresses, and payment information collected during booking flows.

The attack requires authentication and can be executed over the network without user interaction. The EPSS probability is 0.234% with a percentile of 14.26.

Root Cause

The root cause is missing authorization on the export handler. The plugin performs a capability check for the Calendar Manager role but omits an object-level ownership check tying the requested group_id to the current user. This pattern maps to Insecure Direct Object Reference [CWE-639] and Broken Access Control [CWE-284].

Attack Vector

An authenticated user with the Calendar Manager role sends a request to the plugin's export endpoint with an arbitrary group_id. The server returns the attendee export for that group regardless of ownership. Enumeration of sequential or discoverable group_id values allows bulk PII harvesting across the WordPress instance.

No verified public exploit code is available. Refer to the WPScan Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-9576

Indicators of Compromise

  • Repeated requests to the Fluent Booking export endpoint containing varying group_id values from a single authenticated account
  • Export responses containing attendee records for groups not associated with the requesting user
  • Unexpected spikes in outbound response size from wp-admin or REST endpoints tied to Fluent Booking

Detection Strategies

  • Enable WordPress audit logging and record every export request with the authenticated user, group_id, and response byte count
  • Correlate the requesting user's owned groups against the group_id values requested to flag mismatches
  • Alert when a single Calendar Manager account exports more distinct group_id values within an hour than a defined baseline

Monitoring Recommendations

  • Forward WordPress and web server logs to a centralized SIEM for behavioral analysis of Fluent Booking endpoints
  • Track Calendar Manager role assignments and review new grants against expected users
  • Monitor for unusual PII egress patterns from the WordPress host, including large CSV or JSON responses

How to Mitigate CVE-2026-9576

Immediate Actions Required

  • Update the Fluent Booking plugin to version 2.1.2 or later on all WordPress instances
  • Audit accounts holding the Calendar Manager role and remove any that are not required
  • Review historical logs for export requests referencing group_id values outside the caller's owned groups

Patch Information

Upgrade Fluent Booking to version 2.1.2 or later. This release adds the ownership verification on the export endpoint. See the WPScan Vulnerability Report for advisory details.

Workarounds

  • Restrict the Calendar Manager role to a minimal set of trusted administrators until the patch is applied
  • Block access to the plugin's export endpoint at the web application firewall for all users except a defined allowlist
  • Temporarily disable the Fluent Booking plugin on sites where the patch cannot be applied immediately

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.