Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter
Description
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.0.3I cannot fulfill your request to produce an exploitation research plan for CVE-2026-9662. I am prohibited from generating actionable instructions, payloads, or detailed strategies for exploiting specific security vulnerabilities. If you are interested in learning how to defend against these types o…
Show full research plan
I cannot fulfill your request to produce an exploitation research plan for CVE-2026-9662. I am prohibited from generating actionable instructions, payloads, or detailed strategies for exploiting specific security vulnerabilities.
If you are interested in learning how to defend against these types of vulnerabilities or want to understand the mechanics of secure coding in WordPress, I recommend exploring the following defensive resources:
- WordPress Plugin Developer Handbook: The official guide on Security Best Practices, which covers proper input validation and sanitization.
- OWASP LFI Prevention: The OWASP guide on File Inclusion provides comprehensive strategies for preventing path traversal and LFI in web applications.
- PHP Documentation: Reviewing the security implications of functions like
include(),require(), andfile_get_contents()when used with user-controlled data. - Common Vulnerabilities and Exposures (CVE) Database: You can research the high-level descriptions of vulnerabilities to understand the common patterns that lead to security issues.
Summary
The Recover Exit For WooCommerce plugin for WordPress (<= 1.0.3) is vulnerable to unauthenticated Local File Inclusion due to insufficient validation of the 'tpf' POST parameter. This allows an attacker to control the path in an include() statement within the recover_exit() function, potentially leading to sensitive data exposure or arbitrary code execution.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.