What the vulnerability does
01Description
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
Explanation of Vulnerability in Simple Terms
02Summary
Dharma Booking versions up to 2.28.3 contain a local code execution vulnerability. An attacker with local access to the system can run arbitrary code with high privileges. The vulnerability stems from improper handling of user-supplied input that is not properly validated before execution. This affects the confidentiality of data stored on the affected system.
What an attacker can do
03Attacker Capabilities
Run code locally on the server with high privileges.
Potential impact on your site
04Site Impact
An attacker with server access can execute code and read sensitive data from your booking system.
Conditions required to exploit
05Prerequisites
Local access to the server; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated