Description
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.
Published: 2026-06-13
Score: 3.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Store Locator WordPress plugin before version 1.6.9 occurs because it accepts an unvalidated request parameter and uses it directly in a file path. This flaw is a classic example of CWE-22 Path Traversal, leading to CWE-200 information exposure. An administrator or other high‑privileged user can supply a carefully crafted value that causes the plugin to read any PHP file on the server, including sensitive configuration files that contain database credentials and authentication keys. The resulting exposure compromises the confidentiality of critical information and can enable further attacks against the application or the underlying infrastructure.

Affected Systems

The affected product is the Store Locator WordPress plugin. All installations of the plugin with a version earlier than 1.6.9 are susceptible, regardless of the broader WordPress environment. No other vendors are listed in the CNA data.

Risk and Exploitability

The CVSS score is 3.4, indicating low severity, but the EPSS is <1% and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires privileged access to the WordPress administrator interface, which limits exploitation to users who already possess administrative rights. However, the ability to read configuration files is a high‑impact outcome, giving attackers credentials that could lead to full system compromise. Because the vulnerability is straightforward to trigger with an administrator account, the risk can be classified as moderate to high when such permissions exist.

Generated by OpenCVE AI on June 17, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Store Locator WordPress plugin to version 1.6.9 or later to apply the vendor fix.
  • Configure the plugin so that any file‑access inputs are strictly validated or removed if not required, preventing manipulation of path values.
  • Apply tight file‑system permissions to sensitive configuration files and the plugin directory so that only the web server account can read them, reducing the impact of any remaining traversal code.

Generated by OpenCVE AI on June 17, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Store Locator Wordpress
Store Locator Wordpress store Locator Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Store Locator Wordpress
Store Locator Wordpress store Locator Wordpress
Wordpress
Wordpress wordpress

Sat, 13 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-22

Sat, 13 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.
Title Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal
References

Subscriptions

Store Locator Wordpress Store Locator Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-15T14:48:05.704Z

Reserved: 2026-05-20T07:40:03.537Z

Link: CVE-2026-9062

cve-icon Vulnrichment

Updated: 2026-06-15T14:47:39.301Z

cve-icon NVD

Status : Deferred

Published: 2026-06-13T07:16:14.757

Modified: 2026-06-15T20:50:47.973

Link: CVE-2026-9062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T19:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')