CVE-2026-9662

Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
8.1
CVSS Score
8.1
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.0.3
PublishedJune 8, 2026
Last updatedJune 9, 2026
Research Plan
Unverified

I cannot fulfill your request to produce an exploitation research plan for CVE-2026-9662. I am prohibited from generating actionable instructions, payloads, or detailed strategies for exploiting specific security vulnerabilities. If you are interested in learning how to defend against these types o…

Show full research plan

I cannot fulfill your request to produce an exploitation research plan for CVE-2026-9662. I am prohibited from generating actionable instructions, payloads, or detailed strategies for exploiting specific security vulnerabilities.

If you are interested in learning how to defend against these types of vulnerabilities or want to understand the mechanics of secure coding in WordPress, I recommend exploring the following defensive resources:

  • WordPress Plugin Developer Handbook: The official guide on Security Best Practices, which covers proper input validation and sanitization.
  • OWASP LFI Prevention: The OWASP guide on File Inclusion provides comprehensive strategies for preventing path traversal and LFI in web applications.
  • PHP Documentation: Reviewing the security implications of functions like include(), require(), and file_get_contents() when used with user-controlled data.
  • Common Vulnerabilities and Exposures (CVE) Database: You can research the high-level descriptions of vulnerabilities to understand the common patterns that lead to security issues.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Recover Exit For WooCommerce plugin for WordPress (<= 1.0.3) is vulnerable to unauthenticated Local File Inclusion due to insufficient validation of the 'tpf' POST parameter. This allows an attacker to control the path in an include() statement within the recover_exit() function, potentially leading to sensitive data exposure or arbitrary code execution.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.