Server-Side Request Forgery in Planyo Online Reservation System Plugin for WordPress
CVE-2026-3576

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-3576?

The Planyo Online Reservation System plugin for WordPress is susceptible to a Server-Side Request Forgery (SSRF) vulnerability, which can lead to Local File Inclusion (LFI). This issue is present in all versions up to and including 3.0. The ulap.php file, which functions as an AJAX proxy, can be accessed directly without going through WordPress authentication or bootstrapping processes. The plugin's send_http_post() method mistakenly validates the host of the user-supplied URL against a limited allowlist, which includes 'localhost', yet fails to verify the URL scheme/protocol. As a result, attackers can exploit this flaw by submitting a file:// URL (for instance, file://localhost/etc/passwd), effectively bypassing the host allowlist. This misconfiguration allows the attacker to execute curl_init() or fopen() with a file:// protocol, leading to unauthorized access and exposure of sensitive files on the server, such as /etc/passwd and wp-config.php.

Affected Version(s)

Planyo online reservation system 0 <= 3.0

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

chaeyp
Ronnachai Sretawat Na Ayutaya (Simonhaskelly)
Ronnachai Chaipha (rxnr)
.