CVE-2026-32384: WpBookingly Path Traversal Vulnerability

CVE-2026-32384 Overview

CVE-2026-32384 is a PHP Local File Inclusion (LFI) vulnerability affecting the WpBookingly (service-booking-manager) WordPress plugin developed by magepeopleteam. The vulnerability stems from improper control of filename parameters used in PHP include/require statements, allowing attackers to include local files from the server filesystem. This can lead to sensitive information disclosure, configuration file exposure, and potentially remote code execution when combined with other attack techniques.

Critical Impact
Authenticated attackers with low privileges can exploit this LFI vulnerability to read arbitrary files from the WordPress server, potentially exposing database credentials, configuration secrets, and other sensitive data.

Affected Products

WpBookingly (service-booking-manager) plugin versions up to and including 1.2.9
WordPress installations running vulnerable WpBookingly versions
Web servers hosting affected WordPress sites with the service-booking-manager plugin

Discovery Timeline

2026-03-13 - CVE-2026-32384 published to NVD
2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-32384

Vulnerability Analysis

This vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The WpBookingly plugin fails to properly sanitize user-controlled input before passing it to PHP's include or require functions. While the official description notes this as a "Remote File Inclusion" vulnerability type, the actual exploitable behavior enables PHP Local File Inclusion attacks.

The attack requires network access and authentication with low privileges. Though attack complexity is considered high, successful exploitation can result in complete compromise of confidentiality, integrity, and availability of the affected system. The vulnerability does not require user interaction and operates within the scope of the vulnerable component.

Root Cause

The root cause lies in insufficient input validation and sanitization of filename parameters within the WpBookingly plugin. When the plugin processes requests that involve dynamic file inclusion, it fails to:

Properly validate that requested files exist within expected directories
Sanitize path traversal sequences (such as ../) from user input
Implement an allowlist of permitted files for inclusion
Apply proper canonicalization to file paths before inclusion

This allows attackers to manipulate the filename parameter to traverse directories and include arbitrary PHP files or readable files from the server filesystem.

Attack Vector

The attack is conducted over the network by authenticated users with minimal privileges. An attacker can craft malicious requests containing path traversal sequences to escape the intended directory structure and include sensitive files. Common targets include:

WordPress configuration files (wp-config.php) containing database credentials
System files like /etc/passwd for user enumeration
Apache/Nginx configuration files
PHP session files for session hijacking
Log files that may contain injected PHP code (log poisoning)

The vulnerability requires the attacker to have at least subscriber-level authentication to the WordPress installation, which limits mass exploitation but still presents significant risk in multi-user WordPress environments.

Detection Methods for CVE-2026-32384

Indicators of Compromise

Unusual HTTP requests containing path traversal patterns (../, ..%2f, ....//) targeting the WpBookingly plugin endpoints
Web server logs showing access attempts to sensitive system files through plugin parameters
Unexpected file access patterns in PHP error logs related to the service-booking-manager plugin
Authentication logs showing login attempts followed by suspicious plugin activity

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences in requests targeting /wp-content/plugins/service-booking-manager/
Monitor web server access logs for requests containing encoded traversal patterns such as %2e%2e%2f or %252e%252e%252f
Deploy file integrity monitoring on critical configuration files like wp-config.php to detect unauthorized access attempts
Configure intrusion detection systems (IDS) with signatures for PHP LFI attack patterns

Monitoring Recommendations

Enable detailed logging for the WordPress installation and review logs for anomalous plugin behavior
Set up alerts for failed file access attempts in PHP error logs that reference unexpected file paths
Monitor network traffic for HTTP responses containing sensitive file contents that may indicate successful exploitation
Implement security information and event management (SIEM) rules correlating authentication events with subsequent suspicious file access patterns

How to Mitigate CVE-2026-32384

Immediate Actions Required

Update the WpBookingly (service-booking-manager) plugin to a patched version as soon as one becomes available
If no patch is available, consider temporarily disabling the WpBookingly plugin until a fix is released
Review and restrict user access to minimize accounts with any level of authentication to the WordPress site
Implement WAF rules to block path traversal attempts targeting the vulnerable plugin

Patch Information

Organizations should monitor the Patchstack WordPress Vulnerability Advisory for updates regarding official patches. It is recommended to upgrade to a version higher than 1.2.9 when available and ensure automatic plugin updates are enabled for this component.

Workarounds

Temporarily deactivate and remove the WpBookingly plugin if the service booking functionality is not critical
Implement server-level restrictions using .htaccess or nginx configuration to limit access to the plugin directory
Deploy a Web Application Firewall with rules specifically blocking LFI attack patterns targeting WordPress plugins
Restrict PHP's open_basedir directive to limit file access to the WordPress installation directory only

bash

# Apache .htaccess mitigation to block path traversal attempts
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\.%2f|%2e%2e) [NC]
    RewriteRule ^wp-content/plugins/service-booking-manager/.* - [F,L]
</IfModule>

# PHP open_basedir restriction in php.ini or .user.ini
# open_basedir = /var/www/html/wordpress/:/tmp/

CVE-2026-32384 Overview

Critical Impact
Authenticated attackers with low privileges can exploit this LFI vulnerability to read arbitrary files from the WordPress server, potentially exposing database credentials, configuration secrets, and other sensitive data.

Affected Products

WpBookingly (service-booking-manager) plugin versions up to and including 1.2.9
WordPress installations running vulnerable WpBookingly versions
Web servers hosting affected WordPress sites with the service-booking-manager plugin

Discovery Timeline

2026-03-13 - CVE-2026-32384 published to NVD
2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-32384

Vulnerability Analysis

Root Cause

Properly validate that requested files exist within expected directories
Sanitize path traversal sequences (such as ../) from user input
Implement an allowlist of permitted files for inclusion
Apply proper canonicalization to file paths before inclusion

This allows attackers to manipulate the filename parameter to traverse directories and include arbitrary PHP files or readable files from the server filesystem.

Attack Vector

WordPress configuration files (wp-config.php) containing database credentials
System files like /etc/passwd for user enumeration
Apache/Nginx configuration files
PHP session files for session hijacking
Log files that may contain injected PHP code (log poisoning)

Detection Methods for CVE-2026-32384

Indicators of Compromise

Unusual HTTP requests containing path traversal patterns (../, ..%2f, ....//) targeting the WpBookingly plugin endpoints
Web server logs showing access attempts to sensitive system files through plugin parameters
Unexpected file access patterns in PHP error logs related to the service-booking-manager plugin
Authentication logs showing login attempts followed by suspicious plugin activity

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences in requests targeting /wp-content/plugins/service-booking-manager/
Monitor web server access logs for requests containing encoded traversal patterns such as %2e%2e%2f or %252e%252e%252f
Deploy file integrity monitoring on critical configuration files like wp-config.php to detect unauthorized access attempts
Configure intrusion detection systems (IDS) with signatures for PHP LFI attack patterns

Monitoring Recommendations

Enable detailed logging for the WordPress installation and review logs for anomalous plugin behavior
Set up alerts for failed file access attempts in PHP error logs that reference unexpected file paths
Monitor network traffic for HTTP responses containing sensitive file contents that may indicate successful exploitation
Implement security information and event management (SIEM) rules correlating authentication events with subsequent suspicious file access patterns

How to Mitigate CVE-2026-32384

Immediate Actions Required

Update the WpBookingly (service-booking-manager) plugin to a patched version as soon as one becomes available
If no patch is available, consider temporarily disabling the WpBookingly plugin until a fix is released
Review and restrict user access to minimize accounts with any level of authentication to the WordPress site
Implement WAF rules to block path traversal attempts targeting the vulnerable plugin

Patch Information

Workarounds

Temporarily deactivate and remove the WpBookingly plugin if the service booking functionality is not critical
Implement server-level restrictions using .htaccess or nginx configuration to limit access to the plugin directory
Deploy a Web Application Firewall with rules specifically blocking LFI attack patterns targeting WordPress plugins
Restrict PHP's open_basedir directive to limit file access to the WordPress installation directory only

bash

# Apache .htaccess mitigation to block path traversal attempts
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\.%2f|%2e%2e) [NC]
    RewriteRule ^wp-content/plugins/service-booking-manager/.* - [F,L]
</IfModule>

# PHP open_basedir restriction in php.ini or .user.ini
# open_basedir = /var/www/html/wordpress/:/tmp/

CVE-2026-32384: WpBookingly Path Traversal Vulnerability

CVE-2026-32384 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32384

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32384

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32384

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-32384: WpBookingly Path Traversal Vulnerability

CVE-2026-32384 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32384

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32384

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32384

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform