PT-2026-53823 · Undefined · Undefined

Published

2026-06-30

Updated

2026-06-30

CVE-2026-9576

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-9576

Affected Products

Undefined

PT-2026-53823 · Undefined · Undefined

CVE-2026-9576

Related Identifiers

Affected Products

References · 2