The Fluent Booking WordPress plugin contains a flaw that allows a user with the Calendar Manager capability to export attendee data without verifying ownership of the calendar group. The export returns personally identifiable information such as names, emails, phone numbers, addresses, and payment data for attendees belonging to groups that the requester does not own. This constitutes a direct leakage of sensitive user data and violates privacy expectations.

Vulnerable versions of the Fluent Booking plugin are those released before 2.1.2. Any WordPress installation that has a pre‑2.1.2 version of this plugin installed is affected. The flaw is specific to the plugin’s export endpoint and does not depend on other components or external systems.

The exploit requires the user to already possess the Calendar Manager role. While the role is not a default administrator level, users in this role can legally perform calendar management functions, making the attack vector realistic in a compromised site environment. No CVSS score is publicly available, but the sensitive nature of the exposed data suggests a high impact if an attacker can obtain the data. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed exploitation at the time of this report. Nevertheless, the potential for privacy breach warrants prompt attention.