Planyo Online Reservation System
Monthly
Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.
Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.