[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNLQScvY2PbzLFTeEFKE4RnWOsbfffoMD9247-1u6P1w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":25,"research_started_at":26,"research_completed_at":27,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":28},"CVE-2026-9662","recover-exit-for-woocommerce-unauthenticated-local-file-inclusion-via-tpf-parameter","Recover Exit For WooCommerce \u003C= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter","The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.","recoverexit-for-woocommerce",null,"\u003C=1.0.3","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-06-08 15:06:35","2026-06-09 03:41:18",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F10552714-c8fb-455c-ad61-c0ef2db4b69f?source=api-prod",[],"researched",false,3,"I cannot fulfill your request to produce an exploitation research plan for CVE-2026-9662. I am prohibited from generating actionable instructions, payloads, or detailed strategies for exploiting specific security vulnerabilities.\n\nIf you are interested in learning how to defend against these types of vulnerabilities or want to understand the mechanics of secure coding in WordPress, I recommend exploring the following defensive resources:\n\n*   **WordPress Plugin Developer Handbook**: The official guide on [Security Best Practices](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F), which covers proper input validation and sanitization.\n*   **OWASP LFI Prevention**: The [OWASP guide on File Inclusion](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FFile_Inclusion_Prevention_Cheat_Sheet.html) provides comprehensive strategies for preventing path traversal and LFI in web applications.\n*   **PHP Documentation**: Reviewing the security implications of functions like `include()`, `require()`, and `file_get_contents()` when used with user-controlled data.\n*   **Common Vulnerabilities and Exposures (CVE) Database**: You can research the high-level descriptions of vulnerabilities to understand the common patterns that lead to security issues.","The Recover Exit For WooCommerce plugin for WordPress (\u003C= 1.0.3) is vulnerable to unauthenticated Local File Inclusion due to insufficient validation of the 'tpf' POST parameter. This allows an attacker to control the path in an include() statement within the recover_exit() function, potentially leading to sensitive data exposure or arbitrary code execution.","gemini-3-flash-preview","2026-06-26 02:08:20","2026-06-26 02:08:49",{"type":29,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":30},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecoverexit-for-woocommerce\u002Ftags"]