PHP Remote File Inclusion Vulnerability in WpBookingly by MagePeople Team
CVE-2026-32384

7.5HIGH

Key Information:

Vendor: WordPress
Status: WPbookingly
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-32384?

The WpBookingly plugin, developed by MagePeople Team, is affected by an issue that allows for improper control of filenames used in include/require statements. This vulnerability can lead to PHP Local File Inclusion (LFI), enabling attackers to potentially execute arbitrary code, expose sensitive files, and compromise the security of a WordPress site. This issue is present in versions up to 1.2.9, necessitating immediate attention to secure impacted installations.

Affected Version(s)

WpBookingly 0 <= 1.2.9

References

https://patchstack.com/database/Wordpress/Plugin/service-...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

daroo | Patchstack Bug Bounty Program

CVE-2026-32384 Data

JSON