PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3576 xtreeme CVE debrief

The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authentication. The send_http_post() function validates the host of the provided URL against an allowlist that includes 'localhost', but critically fails to validate the URL scheme/protocol. This makes it possible for unauthenticated attackers to supply a file:// URL (e.g., file://localhost/etc/passwd) which bypasses the host allowlist check because parse_url() returns 'localhost' as the host. The URL is then passed to curl_init() or fopen(), both of which support the file:// protocol, allowing the attacker to read arbitrary local files on the server and have their contents returned in the HTTP response.

Vendor
xtreeme
Product
Planyo online reservation system
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Users of the Planyo Online Reservation System plugin for WordPress should be aware of this vulnerability and take immediate action to protect their installations. This vulnerability could allow attackers to read sensitive files on the server, potentially leading to further exploitation.

Technical summary

The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) leading to Local File Inclusion (LFI). The vulnerability exists in the ulap.php file, which acts as an AJAX proxy and is directly accessible without authentication. The send_http_post() function allows an attacker to supply a URL that can be used to read arbitrary local files on the server. The vulnerability has a CVSS score of 7.2 and is considered HIGH severity.

Defensive priority

High

Recommended defensive actions

  • Update the Planyo Online Reservation System plugin to the latest version
  • Restrict access to the ulap.php file
  • Implement additional security measures to prevent SSRF and LFI attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Review compensating controls for exposed systems while remediation is scheduled and verified

Evidence notes

The vulnerability was reported by [email protected] and has been confirmed by the CVE record. The affected plugin version is up to and including 3.0. Evidence is limited to reporter claims and CVE confirmation. Defenders should verify affected deployments exist, review official advisories, and plan updates or mitigations. Additional verification is needed to confirm scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:34.013Z and has not been modified since then.