CVE-2026-3576
Received Received - Intake

Server-Side Request Forgery in Planyo Online Reservation System Plugin

Vulnerability report for CVE-2026-3576, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authentication. The send_http_post() function validates the host of the provided URL against an allowlist that includes 'localhost', but critically fails to validate the URL scheme/protocol. This makes it possible for unauthenticated attackers to supply a file:// URL (e.g., file://localhost/etc/passwd) which bypasses the host allowlist check because parse_url() returns 'localhost' as the host. The URL is then passed to curl_init() or fopen(), both of which support the file:// protocol, allowing the attacker to read arbitrary local files on the server and have their contents returned in the HTTP response. This can lead to disclosure of sensitive files such as /etc/passwd, wp-config.php (containing database credentials and authentication keys), and other server-side files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
planyo online_reservation_system to 3.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Planyo Online Reservation System plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability that leads to Local File Inclusion (LFI) in all versions up to and including 3.0.

This vulnerability exists because the ulap.php file acts as an AJAX proxy accessible without authentication and does not properly validate the URL scheme/protocol.

Although the plugin checks the host against an allowlist including 'localhost', it fails to block file:// URLs. Attackers can supply a file:// URL that bypasses the host check and causes the server to read local files.

As a result, attackers can read sensitive files on the server such as /etc/passwd or wp-config.php, which may contain database credentials and authentication keys.

Impact Analysis

This vulnerability allows unauthenticated attackers to read arbitrary local files on the server hosting the Planyo plugin.

The disclosure of sensitive files like wp-config.php can expose database credentials and authentication keys, potentially leading to further compromise of the website or server.

Such unauthorized access can result in data breaches, loss of confidentiality, and increased risk of further attacks.

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary local files on the server, including sensitive files such as wp-config.php which contains database credentials and authentication keys.

Disclosure of such sensitive information can lead to unauthorized access to personal data and system credentials, potentially resulting in violations of data protection regulations like GDPR and HIPAA that require safeguarding of personal and sensitive information.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing confidential data and failing to maintain adequate security controls.

Detection Guidance

This vulnerability can be detected by checking if the Planyo Online Reservation System plugin for WordPress is installed and running a version up to and including 3.0.

Specifically, detection involves verifying if the ulap.php file is accessible without authentication and if it accepts URLs that use the file:// protocol.

You can attempt to detect exploitation by sending HTTP requests to the ulap.php endpoint with a crafted file:// URL and observing if local file contents are returned.

  • Example curl command to test for vulnerability: curl -G 'http://your-wordpress-site/wp-content/plugins/planyo/ulap.php' --data-urlencode 'url=file://localhost/etc/passwd'
  • Look for responses containing contents of local files such as /etc/passwd or wp-config.php.
Mitigation Strategies

Immediate mitigation steps include updating the Planyo Online Reservation System plugin to a version later than 3.0 where this vulnerability is fixed.

If an update is not immediately available, restrict access to the ulap.php file by implementing authentication or limiting access via web server configuration.

Additionally, consider blocking or filtering requests that include file:// URLs to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3576. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart