CVE-2026-32384 is a PHP Local File Inclusion (LFI) vulnerability found in the magepeopleteam WpBookingly WordPress plugin, specifically in versions up to and including 1.2.9. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input that determines which file is included by the PHP script, enabling the inclusion of arbitrary local files on the web server. Such inclusion can lead to disclosure of sensitive files (e.g., configuration files, password files), execution of malicious code if combined with other vulnerabilities, or further exploitation such as remote code execution. The vulnerability does not currently have a CVSS score, and no public exploits have been reported. The issue affects websites using the WpBookingly plugin, which is designed to manage service bookings on WordPress platforms. Since WordPress powers a significant portion of the web, and plugins like WpBookingly are used by businesses for appointment management, this vulnerability poses a notable risk. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention. The vulnerability is classified as a Local File Inclusion rather than Remote File Inclusion, indicating that only files present on the server can be included, but this still allows attackers to access sensitive data or escalate attacks. The vulnerability was reserved and published in March 2026 by Patchstack, a known security entity focusing on WordPress vulnerabilities.

The potential impact of CVE-2026-32384 is significant for organizations using the WpBookingly plugin. Successful exploitation can lead to unauthorized disclosure of sensitive files such as configuration files containing database credentials, user data, or other critical information. This can compromise confidentiality and potentially integrity if attackers leverage the vulnerability to execute malicious code or pivot to other attacks. The availability of the affected service might also be impacted if attackers disrupt normal operations or cause application errors. Since the vulnerability is in a WordPress plugin used for service booking, businesses relying on this plugin for customer appointments, scheduling, or payments could face operational disruptions and reputational damage. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. Organizations worldwide that use WordPress and specifically the WpBookingly plugin are at risk, particularly those in sectors like healthcare, hospitality, and professional services where booking systems are critical. The ease of exploitation depends on whether authentication is required to trigger the vulnerability; if not, the risk is higher as attackers can exploit it remotely without credentials.

To mitigate CVE-2026-32384, organizations should first verify if they are using the WpBookingly plugin version 1.2.9 or earlier. If so, they should immediately seek updates or patches from the vendor magepeopleteam. In the absence of an official patch, temporary mitigations include restricting access to the plugin's PHP files via web server configuration (e.g., using .htaccess rules to deny direct access), disabling the plugin if it is not essential, or implementing Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to manipulate include parameters. Code review and hardening can be performed by sanitizing and validating all inputs used in include/require statements to ensure only intended files are included. Monitoring web server logs for unusual file inclusion attempts or errors can help detect exploitation attempts early. Additionally, organizations should ensure that file permissions on the server are properly configured to limit access to sensitive files, reducing the impact of any successful inclusion. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.