CVE-2026-3576: Planyo WordPress Plugin Vulnerable to SSRF and LFI
The Planyo Online Reservation System plugin for WordPress, in all versions up to and including 3.0, is vulnerable to Server-Side Request Forgery (SSRF) leading to Local File Inclusion (LFI), allowing an unauthenticated attacker to exploit the `ulap.php` file by supplying a `file://` URL that bypasses the host allowlist, reading arbitrary local files on the server and retrieving their contents in the HTTP response, potentially disclosing sensitive data.
The Planyo Online Reservation System plugin for WordPress, in all versions up to and including 3.0, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-3576, which can be leveraged for Local File Inclusion (LFI). The ulap.php file, functioning as an AJAX proxy, is directly accessible without requiring WordPress bootstrapping or any authentication. This vulnerability arises because the send_http_post() function validates the host of a provided URL against an allowlist that includes 'localhost' but critically fails to validate the URL scheme or protocol. This oversight allows unauthenticated attackers to supply a file:// URL, such as file://localhost/etc/passwd, which bypasses the host allowlist check because parse_url() correctly identifies 'localhost' as the host. The malicious URL is then processed by curl_init() or fopen(), both of which support the file:// protocol, enabling the attacker to read arbitrary local files on the server and receive their contents in the HTTP response. This flaw can lead to the disclosure of highly sensitive information, including system configuration files like /etc/passwd and WordPress specific credentials in wp-config.php.
Attack Chain
- An unauthenticated attacker crafts a malicious HTTP POST request targeting the
ulap.phpendpoint of a vulnerable Planyo WordPress plugin installation. - The POST request includes a parameter containing a specially formatted
file://URL, such asfile://localhost/etc/passwdorfile://localhost/var/www/html/wp-config.php. - The
send_http_post()function withinulap.phpreceives this URL and usesparse_url()to extract the host, which is 'localhost'. - The extracted 'localhost' value successfully matches an entry in the plugin's internal host allowlist, allowing the request to proceed.
- Crucially, the plugin fails to validate or restrict the URL scheme, allowing the
file://protocol to pass through the validation. - The complete
file://URL is then passed to eithercurl_init()orfopen()functions, which interpret it as a request to access a local file. - The server-side function reads the content of the specified local file (e.g.,
/etc/passwdorwp-config.php). - The contents of the arbitrary local file are returned in the HTTP response body to the attacker, achieving local file inclusion and data disclosure.
Impact
Successful exploitation of CVE-2026-3576 allows unauthenticated attackers to read arbitrary files on the compromised server. This can lead to the disclosure of highly sensitive system information like /etc/passwd, which contains user account details. More critically for WordPress installations, attackers can exfiltrate wp-config.php, exposing database credentials, authentication unique keys, and salts, granting them potential access to the WordPress database. This could escalate to full site compromise, data manipulation, or further attacks on other systems using the exposed credentials. The vulnerability affects all Planyo Online Reservation System plugin versions up to and including 3.0, potentially exposing a wide range of WordPress sites.
Recommendation
- Patch CVE-2026-3576 immediately by updating the Planyo Online Reservation System plugin for WordPress to a version greater than 3.0.
- Deploy the Sigma rule "Detects CVE-2026-3576 Exploitation - Planyo WordPress Plugin SSRF/LFI" to your SIEM and configure your web server logs to capture
cs-uri-stemandcs-uri-queryfor accurate detection. - Monitor web server access logs for HTTP POST requests to
/wp-content/plugins/planyo/ulap.phpcontainingfile://localhost/within the query parameters.
Detection coverage 1
Detects CVE-2026-3576 Exploitation - Planyo WordPress Plugin SSRF/LFI
highDetects CVE-2026-3576 exploitation by identifying HTTP POST requests to the Planyo WordPress plugin's ulap.php endpoint with a file://localhost/ URI in the query string, indicative of SSRF leading to LFI.
Detection queries are available on the platform. Get full rules →