CVE-2026-3576

Xtreeme · Planyo Online Reservation System

The Planyo Online Reservation System plugin for WordPress contains an SSRF vulnerability leading to Local File Inclusion (LFI) due to improper input validation.

Executive summary

An unauthenticated Server-Side Request Forgery and Local File Inclusion vulnerability in the Planyo Online Reservation System plugin allows attackers to read arbitrary files from the server.

Vulnerability

The vulnerability (CWE-20) stems from improper input validation, allowing an unauthenticated attacker to perform SSRF, which can be leveraged to achieve Local File Inclusion (LFI) on the underlying server.

Business impact

This vulnerability carries a CVSS score of 7.2, reflecting a high risk of sensitive information disclosure. An attacker could read configuration files, source code, or other sensitive data residing on the web server, which could lead to a full system compromise.

Remediation

Immediate Action: Update the Planyo Online Reservation System plugin to version 3.1 or higher immediately.

Proactive Monitoring: Monitor server logs for attempts to access local files or unexpected outbound connections from the web server.

Compensating Controls: If immediate patching is not feasible, disable the plugin and implement WAF rules to filter malicious input strings commonly associated with LFI/SSRF attacks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The risk posed by this plugin vulnerability is substantial. Security teams must ensure the plugin is updated to version 3.1 immediately to prevent unauthorized access to sensitive server files.