Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpBookingly service-booking-manager allows PHP Local File Inclusion.This issue affects WpBookingly: from n/a through <= 1.2.9.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The flaw is an improper control of the filename used in a PHP include/require statement within the WpBookingly plugin, identified as CWE-98. This issue allows a local file inclusion in the plugin, which can be triggered to read arbitrary files from the server. The violation could expose configuration or credential files, leading to confidentiality compromise.

Affected Systems

The vulnerability is present in the magepeopleteam WpBookingly service‑booking‑manager plugin for all versions from the initial release (n/a) through version 1.2.9. Any WordPress installation that has a vulnerable version installed is at risk.

Risk and Exploitability

The base CVSS score is 7.5, representing high severity. The EPSS score is below 1%, indicating low likelihood of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Inferred that the attacker must be able to influence the file path parameter used by the plugin, typically through a URL or form input; this makes the attack vector likely application‑layer local file inclusion. The primary impact is the potential disclosure of sensitive files and can serve as a foothold for further compromise if additional weaknesses exist.

Generated by OpenCVE AI on March 17, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WpBookingly plugin to a version newer than 1.2.9, if available from the vendor.
  • Disable or remove the WpBookingly plugin until a patch is released.
  • Monitor the WordPress site for abnormal activity or logs indicating file inclusion attempts.

Generated by OpenCVE AI on March 17, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Magepeopleteam
Magepeopleteam wpbookingly
Wordpress
Wordpress wordpress
Vendors & Products Magepeopleteam
Magepeopleteam wpbookingly
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpBookingly service-booking-manager allows PHP Local File Inclusion.This issue affects WpBookingly: from n/a through <= 1.2.9.
Title WordPress WpBookingly plugin <= 1.2.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Magepeopleteam Wpbookingly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:06.591Z

Reserved: 2026-03-12T11:11:04.189Z

Link: CVE-2026-32384

cve-icon Vulnrichment

Updated: 2026-03-17T13:34:11.808Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:53.633

Modified: 2026-03-17T14:16:16.150

Link: CVE-2026-32384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:04:15Z

Weaknesses