Description
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Dharma Booking plugin 2.28.3 and earlier allows an unauthenticated attacker to include arbitrary files through the gateway parameter in proccess.php. By supplying directory traversal sequences or null byte injections, the attacker can read sensitive files such as configuration files or system files, compromising confidentiality of source code and potentially exposing credentials or system information. The weakness is an instance of insecure file inclusion (CWE-98).

Affected Systems

The vulnerability affects the WordPress plugin Dharma Booking by jamie, version 2.28.3 and any earlier releases. No other vendors or versions are specifically listed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a simple HTTP request to proccess.php with a crafted gateway parameter, requiring no special privileges or authentication. Although the vulnerability does not provide direct code execution, reading sensitive files can lead to further exploitation such as credential theft or system compromise.

Generated by OpenCVE AI on June 16, 2026 at 02:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dharma Booking plugin to the latest version (2.28.3 or newer) that resolves the LFI issue.
  • If an update is not immediately available, deactivate or uninstall the plugin to eliminate the attack surface.
  • Configure the web server and PHP to enforce open_basedir restrictions and ensure sensitive files are not readable from the web root, reducing the impact of any remaining LFI attempts.

Generated by OpenCVE AI on June 16, 2026 at 02:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
Title WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:20:59.773Z

Reserved: 2026-06-15T11:46:31.269Z

Link: CVE-2016-20079

cve-icon Vulnrichment

Updated: 2026-06-15T16:20:56.127Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:31.370

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:45:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')