The Fluent Booking WordPress plugin versions prior to 2.1.2 fail to verify ownership of the requested group_id parameter before exporting attendee data. This flaw permits users assigned the Calendar Manager role to access sensitive attendee information—including names, emails, phone numbers, addresses, and payment details—from calendar groups they do not have permission to manage. This constitutes an information exposure vulnerability classified under CWE-200.

Users with the Calendar Manager role can retrieve sensitive personally identifiable information (PII) of attendees from unauthorized calendar groups. This exposure includes names, email addresses, phone numbers, physical addresses, and payment information, potentially leading to privacy violations and data misuse.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is referenced, users should monitor the vendor's communications for updates. Until a fix is available, restrict the Calendar Manager role permissions or limit access to the export endpoint to trusted users only.