{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/planyo-online-reservation-system-plugin--3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-3576"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Planyo Online Reservation System plugin \u003c= 3.0"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","ssrf","lfi","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["Planyo","WordPress"],"content_html":"\u003cp\u003eThe Planyo Online Reservation System plugin for WordPress, in all versions up to and including 3.0, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-3576, which can be leveraged for Local File Inclusion (LFI). The \u003ccode\u003eulap.php\u003c/code\u003e file, functioning as an AJAX proxy, is directly accessible without requiring WordPress bootstrapping or any authentication. This vulnerability arises because the \u003ccode\u003esend_http_post()\u003c/code\u003e function validates the host of a provided URL against an allowlist that includes 'localhost' but critically fails to validate the URL scheme or protocol. This oversight allows unauthenticated attackers to supply a \u003ccode\u003efile://\u003c/code\u003e URL, such as \u003ccode\u003efile://localhost/etc/passwd\u003c/code\u003e, which bypasses the host allowlist check because \u003ccode\u003eparse_url()\u003c/code\u003e correctly identifies 'localhost' as the host. The malicious URL is then processed by \u003ccode\u003ecurl_init()\u003c/code\u003e or \u003ccode\u003efopen()\u003c/code\u003e, both of which support the \u003ccode\u003efile://\u003c/code\u003e protocol, enabling the attacker to read arbitrary local files on the server and receive their contents in the HTTP response. This flaw can lead to the disclosure of highly sensitive information, including system configuration files like \u003ccode\u003e/etc/passwd\u003c/code\u003e and WordPress specific credentials in \u003ccode\u003ewp-config.php\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eulap.php\u003c/code\u003e endpoint of a vulnerable Planyo WordPress plugin installation.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a parameter containing a specially formatted \u003ccode\u003efile://\u003c/code\u003e URL, such as \u003ccode\u003efile://localhost/etc/passwd\u003c/code\u003e or \u003ccode\u003efile://localhost/var/www/html/wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esend_http_post()\u003c/code\u003e function within \u003ccode\u003eulap.php\u003c/code\u003e receives this URL and uses \u003ccode\u003eparse_url()\u003c/code\u003e to extract the host, which is 'localhost'.\u003c/li\u003e\n\u003cli\u003eThe extracted 'localhost' value successfully matches an entry in the plugin's internal host allowlist, allowing the request to proceed.\u003c/li\u003e\n\u003cli\u003eCrucially, the plugin fails to validate or restrict the URL scheme, allowing the \u003ccode\u003efile://\u003c/code\u003e protocol to pass through the validation.\u003c/li\u003e\n\u003cli\u003eThe complete \u003ccode\u003efile://\u003c/code\u003e URL is then passed to either \u003ccode\u003ecurl_init()\u003c/code\u003e or \u003ccode\u003efopen()\u003c/code\u003e functions, which interpret it as a request to access a local file.\u003c/li\u003e\n\u003cli\u003eThe server-side function reads the content of the specified local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e or \u003ccode\u003ewp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe contents of the arbitrary local file are returned in the HTTP response body to the attacker, achieving local file inclusion and data disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3576 allows unauthenticated attackers to read arbitrary files on the compromised server. This can lead to the disclosure of highly sensitive system information like \u003ccode\u003e/etc/passwd\u003c/code\u003e, which contains user account details. More critically for WordPress installations, attackers can exfiltrate \u003ccode\u003ewp-config.php\u003c/code\u003e, exposing database credentials, authentication unique keys, and salts, granting them potential access to the WordPress database. This could escalate to full site compromise, data manipulation, or further attacks on other systems using the exposed credentials. The vulnerability affects all Planyo Online Reservation System plugin versions up to and including 3.0, potentially exposing a wide range of WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-3576 immediately by updating the Planyo Online Reservation System plugin for WordPress to a version greater than 3.0.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-3576 Exploitation - Planyo WordPress Plugin SSRF/LFI\u0026quot; to your SIEM and configure your web server logs to capture \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e for accurate detection.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for HTTP POST requests to \u003ccode\u003e/wp-content/plugins/planyo/ulap.php\u003c/code\u003e containing \u003ccode\u003efile://localhost/\u003c/code\u003e within the query parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T05:20:30Z","date_published":"2026-07-11T05:20:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-planyo-wordpress-ssrf-lfi/","summary":"The Planyo Online Reservation System plugin for WordPress, in all versions up to and including 3.0, is vulnerable to Server-Side Request Forgery (SSRF) leading to Local File Inclusion (LFI), allowing an unauthenticated attacker to exploit the `ulap.php` file by supplying a `file://` URL that bypasses the host allowlist, reading arbitrary local files on the server and retrieving their contents in the HTTP response, potentially disclosing sensitive data.","title":"CVE-2026-3576: Planyo WordPress Plugin Vulnerable to SSRF and LFI","url":"https://feed.craftedsignal.io/briefs/2026-07-planyo-wordpress-ssrf-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed - Planyo Online Reservation System Plugin \u003c= 3.0","version":"https://jsonfeed.org/version/1.1"}