CVE-2026-9662
Received Received - Intake
Local File Inclusion in Recover Exit For WooCommerce Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-9662
EUVD
EUVD-2026-35301
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
recover_exit recover_exit_for_woocommerce to 1.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Recover Exit For WooCommerce plugin for WordPress has a vulnerability called Local File Inclusion (LFI) in all versions up to and including 1.0.3.

This vulnerability occurs because the plugin does not properly validate or sanitize the user-controlled 'tpf' POST parameter before using it in an include() function within the recover_exit() function.

As a result, an unauthenticated attacker can perform path traversal attacks to include unintended local PHP files.

Impact Analysis

This vulnerability can lead to sensitive information exposure by allowing attackers to include and read local files on the server.

In certain deployment scenarios, it can also lead to remote code execution, which means attackers could run arbitrary code on the affected server.

The CVSS score of 8.1 indicates a high severity impact, affecting confidentiality, integrity, and availability.

Compliance Impact

The vulnerability in the Recover Exit For WooCommerce plugin allows unauthenticated attackers to perform local file inclusion, potentially exposing sensitive information and enabling code execution.

Such exposure of sensitive information and unauthorized code execution can lead to violations of data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by failing to protect sensitive data adequately.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9662. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart