CVE-2026-3576
Xtreeme · Planyo Online Reservation System
The Planyo Online Reservation System plugin for WordPress contains an SSRF vulnerability leading to Local File Inclusion (LFI) due to improper input validation.
Executive summary
An unauthenticated Server-Side Request Forgery and Local File Inclusion vulnerability in the Planyo Online Reservation System plugin allows attackers to read arbitrary files from the server.
Vulnerability
The vulnerability (CWE-20) stems from improper input validation, allowing an unauthenticated attacker to perform SSRF, which can be leveraged to achieve Local File Inclusion (LFI) on the underlying server.
Business impact
This vulnerability carries a CVSS score of 7.2, reflecting a high risk of sensitive information disclosure. An attacker could read configuration files, source code, or other sensitive data residing on the web server, which could lead to a full system compromise.
Remediation
Immediate Action: Update the Planyo Online Reservation System plugin to version 3.1 or higher immediately.
Proactive Monitoring: Monitor server logs for attempts to access local files or unexpected outbound connections from the web server.
Compensating Controls: If immediate patching is not feasible, disable the plugin and implement WAF rules to filter malicious input strings commonly associated with LFI/SSRF attacks.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The risk posed by this plugin vulnerability is substantial. Security teams must ensure the plugin is updated to version 3.1 immediately to prevent unauthorized access to sensitive server files.