Impact
WordPress plugin Dharma Booking by jamie, in version 2.28.3 and earlier, contains a local file inclusion vulnerability that permits an unauthenticated attacker to include arbitrary files by manipulating the gateway parameter in proccess.php. By supplying directory traversal sequences or null byte injections, the attacker can read sensitive files such as configuration files or system files, thereby compromising confidentiality of source code and potentially exposing credentials or system information. This weakness exemplifies insecure file inclusion (CWE-98).
Affected Systems
The vulnerability affects the WordPress plugin Dharma Booking by jamie, specifically version 2.28.3 and all earlier releases. No other vendors or product versions are explicitly listed as affected.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a basic HTTP request to proccess.php with a crafted gateway parameter, requiring no special privileges or authentication. While it does not provide direct code execution, reading sensitive files can lead to credential theft or other post‑exposure attacks.
OpenCVE Enrichment