Server-Side Request Forgery in Planyo Online Reservation System Plugin for WordPress
CVE-2026-3576
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-3576?
The Planyo Online Reservation System plugin for WordPress is susceptible to a Server-Side Request Forgery (SSRF) vulnerability, which can lead to Local File Inclusion (LFI). This issue is present in all versions up to and including 3.0. The ulap.php file, which functions as an AJAX proxy, can be accessed directly without going through WordPress authentication or bootstrapping processes. The plugin's send_http_post() method mistakenly validates the host of the user-supplied URL against a limited allowlist, which includes 'localhost', yet fails to verify the URL scheme/protocol. As a result, attackers can exploit this flaw by submitting a file:// URL (for instance, file://localhost/etc/passwd), effectively bypassing the host allowlist. This misconfiguration allows the attacker to execute curl_init() or fopen() with a file:// protocol, leading to unauthorized access and exposure of sensitive files on the server, such as /etc/passwd and wp-config.php.
Affected Version(s)
Planyo online reservation system 0 <= 3.0
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved