Data Exposure Risk in Fluent Booking Plugin by WordPress
CVE-2026-9576

Currently unrated

Key Information:

Vendor: WordPress
Status: Fluent Booking
Vendor: CVE Published:; 30 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9576?

The Fluent Booking Plugin for WordPress prior to version 2.1.2 is susceptible to improper access control, allowing users with the Calendar Manager role to access and export sensitive attendee information, such as names, emails, phone numbers, addresses, and payment details, from calendar groups they do not own. This flaw arises from the plugin's failure to properly verify ownership before permitting data export. Users are advised to update to the latest version to mitigate security risks.

Affected Version(s)

Fluent Booking 0 < 2.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9576 - Proof of Concept

References

https://wpscan.com/vulnerability/f28759e0-f15e-4014-b0d1-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 30, 2026
👾
Exploit known to exist
Jun 30, 2026
Vulnerability published
Jun 30, 2026
Vulnerability Reserved
May 26, 2026

Credit

Md Amin Ullah Sheikh

WPScan

CVE-2026-9576 Data

JSON