Unauthorized Calendar Management in Fluent Booking Plugin for WordPress
CVE-2025-13756

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
Vendor: CVE Published:; 3 December 2025

What is CVE-2025-13756?

The Fluent Booking plugin for WordPress contains a security flaw that permits unauthorized calendar imports and management. This issue arises from a lack of adequate capability checks within the 'importCalendar' function. As a result, authenticated users with subscriber-level access or greater can exploit this vulnerability, enabling them to import arbitrary calendars and manage them without proper authorization. This could lead to significant security challenges for website operators who utilize this plugin.

Affected Version(s)

Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution * <= 1.9.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3404176/flue...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Nov 26, 2025

Credit

Md. Moniruzzaman Prodhan

JSON