CVE-2026-9662: Recover Exit WooCommerce Plugin LFI Vulnerability – Critical Path Traversal Risk
The Recover Exit For WooCommerce plugin contains a flaw that allows attackers to access files on a WordPress server without needing to log in. The plugin fails to properly check a user-submitted parameter before using it to load PHP files, enabling attackers to navigate outside intended directories and read or potentially execute arbitrary code. All versions through 1.0.3 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9662 is a Local File Inclusion (LFI) vulnerability in the Recover Exit For WooCommerce plugin affecting versions up to 1.0.3. The vulnerability exists in the `recover_exit()` function, which accepts an unsanitized POST parameter named `tpf` and passes it directly into a PHP `include()` statement. Because the parameter lacks input validation and path normalization, an unauthenticated attacker can inject directory traversal sequences (e.g., `../`) to escape the intended directory and load arbitrary PHP files from the server filesystem. In certain configurations—such as when combined with file upload functionality, log files, or other writable locations—this can escalate to remote code execution.
Business impact
WordPress sites running this plugin face direct exposure of sensitive files including database credentials, configuration secrets, and plugin/theme source code. In multi-tenant or complex hosting environments, attackers may read files belonging to other applications. The unauthenticated nature of the vulnerability means no valid user account is required; the attack surface encompasses all site visitors. If code execution is achievable through the deployment chain, attackers gain server-level compromise, leading to data theft, malware installation, ransomware deployment, and complete site takeover.
Affected systems
Any WordPress installation running the Recover Exit For WooCommerce plugin in version 1.0.3 or earlier is vulnerable. The plugin name and affected version range should be verified in your WordPress plugin directory scan. No other WooCommerce components or WordPress core versions are directly implicated; the risk is isolated to this specific plugin.
Exploitability
The vulnerability is exploitable by unauthenticated attackers over the network. The CVSS vector (AC:H) indicates some attack complexity—likely due to the need for specific deployment conditions to achieve code execution—but the underlying LFI is trivial to trigger. Proof-of-concept exploitation can be constructed without specialized tools. Public awareness of this class of vulnerability is high, and exploitation tooling for LFI against WordPress plugins is mature.
Remediation
Update the Recover Exit For WooCommerce plugin to a version released after 1.0.3 that includes input validation and sanitization of the `tpf` parameter. Verify the patch against the vendor's official advisory. As an interim measure, disable the plugin entirely if an immediate patch is unavailable. Additionally, restrict direct HTTP POST access to the vulnerable endpoint using web application firewall rules if patching cannot be deployed immediately.
Patch guidance
Contact or check the official Recover Exit For WooCommerce plugin repository or vendor website for a patch version that remediates CVE-2026-9662. Update via the WordPress admin dashboard once a patched version is available. Before applying any update, back up your WordPress database and configuration files. Test the update on a staging environment if feasible to ensure compatibility with your theme and other plugins.
Detection guidance
Monitor web server and WordPress logs for POST requests to your WordPress installation containing the parameter `tpf` with suspicious values (especially sequences like `../`, `..\`, or encoded variants). Implement Web Application Firewall rules to block or flag requests where `tpf` contains path traversal sequences. Use WordPress security scanning tools (such as Wordfence or Sucuri) to identify installations of this plugin and their versions. Endpoint Detection and Response (EDR) solutions should flag unexpected file reads from PHP processes originating from web server contexts.
Why prioritize this
This vulnerability scores HIGH (CVSS 8.1) and warrants immediate attention due to its combination of network accessibility, lack of authentication requirements, and potential for both confidentiality and integrity impact. While code execution requires specific conditions, the baseline LFI threat is immediate and can expose critical secrets. Organizations running WordPress with this plugin should prioritize patching within their next maintenance window, ideally within 24–48 hours.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects a HIGH severity vulnerability with these factors: Network vector (AV:N) allows remote exploitation; no authentication required (PR:N); attack complexity is High (AC:H), reflecting the conditional nature of achieving code execution; the impact is Confidentiality, Integrity, and Availability all compromised (C:H/I:H/A:H). The score balances the trivial-to-exploit LFI with the elevated requirements for full system compromise.
Frequently asked questions
Can this vulnerability be exploited if the plugin is installed but not actively used?
Yes. The vulnerability is in the plugin code itself and can be triggered regardless of whether the plugin is actively used or configured. Simply having the plugin installed in the WordPress installation makes it accessible to attackers.
What is the difference between LFI and RCE in this context, and why does it matter?
Local File Inclusion (LFI) allows attackers to read or include arbitrary files from the server. Remote Code Execution (RCE) means the attacker can execute arbitrary code. This vulnerability is primarily an LFI; it becomes RCE only when combined with specific conditions such as writable upload directories or log injection techniques. The distinction affects the severity and required mitigating controls.
If I cannot patch immediately, what short-term controls should I implement?
Disable the plugin immediately if it is not critical to operations. If it must remain active, use a Web Application Firewall (WAF) or ModSecurity rules to block POST requests with the `tpf` parameter containing path traversal characters. Additionally, ensure file permissions are restrictive and that PHP execution is disabled in upload directories.
How do I verify that a patched version actually fixes this issue?
Consult the vendor's official security advisory or release notes for the patch version. Verify that the advisory specifically references CVE-2026-9662 and describes the fix (e.g., input validation on the `tpf` parameter). Test the patched version in a non-production environment before broad deployment.
This analysis is based on publicly disclosed vulnerability information as of the modification date 2026-06-17. SEC.co does not guarantee the completeness or accuracy of vendor patch timelines or the applicability of this guidance to all deployment configurations. Organizations should validate all patch versions and remediation steps directly with the plugin vendor and their own infrastructure teams. This document does not constitute legal or compliance advice. Always test patches in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php