Skip to main content

Planyo Online Reservation System

1 CVEs product

Monthly

CVE-2026-3576 HIGH This Week

Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.

WordPress SSRF PHP Planyo Online Reservation System
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.

WordPress SSRF PHP +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy