<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Planyo Online Reservation System Plugin &lt;= 3.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/planyo-online-reservation-system-plugin--3.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 05:20:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/planyo-online-reservation-system-plugin--3.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-3576: Planyo WordPress Plugin Vulnerable to SSRF and LFI</title><link>https://feed.craftedsignal.io/briefs/2026-07-planyo-wordpress-ssrf-lfi/</link><pubDate>Sat, 11 Jul 2026 05:20:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-planyo-wordpress-ssrf-lfi/</guid><description>The Planyo Online Reservation System plugin for WordPress, in all versions up to and including 3.0, is vulnerable to Server-Side Request Forgery (SSRF) leading to Local File Inclusion (LFI), allowing an unauthenticated attacker to exploit the `ulap.php` file by supplying a `file://` URL that bypasses the host allowlist, reading arbitrary local files on the server and retrieving their contents in the HTTP response, potentially disclosing sensitive data.</description><content:encoded><![CDATA[<p>The Planyo Online Reservation System plugin for WordPress, in all versions up to and including 3.0, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-3576, which can be leveraged for Local File Inclusion (LFI). The <code>ulap.php</code> file, functioning as an AJAX proxy, is directly accessible without requiring WordPress bootstrapping or any authentication. This vulnerability arises because the <code>send_http_post()</code> function validates the host of a provided URL against an allowlist that includes 'localhost' but critically fails to validate the URL scheme or protocol. This oversight allows unauthenticated attackers to supply a <code>file://</code> URL, such as <code>file://localhost/etc/passwd</code>, which bypasses the host allowlist check because <code>parse_url()</code> correctly identifies 'localhost' as the host. The malicious URL is then processed by <code>curl_init()</code> or <code>fopen()</code>, both of which support the <code>file://</code> protocol, enabling the attacker to read arbitrary local files on the server and receive their contents in the HTTP response. This flaw can lead to the disclosure of highly sensitive information, including system configuration files like <code>/etc/passwd</code> and WordPress specific credentials in <code>wp-config.php</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious HTTP POST request targeting the <code>ulap.php</code> endpoint of a vulnerable Planyo WordPress plugin installation.</li>
<li>The POST request includes a parameter containing a specially formatted <code>file://</code> URL, such as <code>file://localhost/etc/passwd</code> or <code>file://localhost/var/www/html/wp-config.php</code>.</li>
<li>The <code>send_http_post()</code> function within <code>ulap.php</code> receives this URL and uses <code>parse_url()</code> to extract the host, which is 'localhost'.</li>
<li>The extracted 'localhost' value successfully matches an entry in the plugin's internal host allowlist, allowing the request to proceed.</li>
<li>Crucially, the plugin fails to validate or restrict the URL scheme, allowing the <code>file://</code> protocol to pass through the validation.</li>
<li>The complete <code>file://</code> URL is then passed to either <code>curl_init()</code> or <code>fopen()</code> functions, which interpret it as a request to access a local file.</li>
<li>The server-side function reads the content of the specified local file (e.g., <code>/etc/passwd</code> or <code>wp-config.php</code>).</li>
<li>The contents of the arbitrary local file are returned in the HTTP response body to the attacker, achieving local file inclusion and data disclosure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-3576 allows unauthenticated attackers to read arbitrary files on the compromised server. This can lead to the disclosure of highly sensitive system information like <code>/etc/passwd</code>, which contains user account details. More critically for WordPress installations, attackers can exfiltrate <code>wp-config.php</code>, exposing database credentials, authentication unique keys, and salts, granting them potential access to the WordPress database. This could escalate to full site compromise, data manipulation, or further attacks on other systems using the exposed credentials. The vulnerability affects all Planyo Online Reservation System plugin versions up to and including 3.0, potentially exposing a wide range of WordPress sites.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-3576 immediately by updating the Planyo Online Reservation System plugin for WordPress to a version greater than 3.0.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-3576 Exploitation - Planyo WordPress Plugin SSRF/LFI&quot; to your SIEM and configure your web server logs to capture <code>cs-uri-stem</code> and <code>cs-uri-query</code> for accurate detection.</li>
<li>Monitor web server access logs for HTTP POST requests to <code>/wp-content/plugins/planyo/ulap.php</code> containing <code>file://localhost/</code> within the query parameters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>ssrf</category><category>lfi</category><category>web-application</category><category>cve</category></item></channel></rss>