Description
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress plugin Dharma Booking by jamie, in version 2.28.3 and earlier, contains a local file inclusion vulnerability that permits an unauthenticated attacker to include arbitrary files by manipulating the gateway parameter in proccess.php. By supplying directory traversal sequences or null byte injections, the attacker can read sensitive files such as configuration files or system files, thereby compromising confidentiality of source code and potentially exposing credentials or system information. This weakness exemplifies insecure file inclusion (CWE-98).

Affected Systems

The vulnerability affects the WordPress plugin Dharma Booking by jamie, specifically version 2.28.3 and all earlier releases. No other vendors or product versions are explicitly listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a basic HTTP request to proccess.php with a crafted gateway parameter, requiring no special privileges or authentication. While it does not provide direct code execution, reading sensitive files can lead to credential theft or other post‑exposure attacks.

Generated by OpenCVE AI on June 18, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall Dharma Booking until an updated, non‑vulnerable release is available.
  • If an immediate update cannot be applied, sanitize the gateway parameter in proccess.php to prevent arbitrary file inclusion, for example by validating against a whitelist of allowed paths.
  • Implement server‑side restrictions such as open_basedir or file permission settings to block access to sensitive files from the web root.
  • Deploy a web application firewall or IDS/IPS rule to detect and block attempts to exploit the local file inclusion.

Generated by OpenCVE AI on June 18, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Jamie
Jamie dharma Booking
Wordpress
Wordpress wordpress
Vendors & Products Jamie
Jamie dharma Booking
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
Title WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Jamie Dharma Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:20:59.773Z

Reserved: 2026-06-15T11:46:31.269Z

Link: CVE-2016-20079

cve-icon Vulnrichment

Updated: 2026-06-15T16:20:56.127Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:31.370

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:09:19Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')