CVE-2026-9662 - Vulnerability Details

- Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter

Description

The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.

Published: 2026-06-09

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Recover Exit For WooCommerce plugin includes a function that uses the POST parameter 'tpf' directly in a PHP include statement without validating the input. This omission permits an attacker to craft a path traversal payload that causes the server to read and execute arbitrary local PHP files. The vulnerability therefore allows an unauthenticated attacker to expose sensitive server files or inject malicious code, which could compromise confidentiality, integrity, or availability of the entire WordPress site.

Affected Systems

Every WordPress site that uses the Recover Exit For WooCommerce plugin from plasmatizemedia, version 1.0.3 or earlier, is affected. Versions newer than 1.0.3 are not listed as vulnerable, so sites that have the plugin upgraded beyond that revision are spared.

Risk and Exploitability

The vulnerability scores an 8.1 on the CVSS vector, classifying it as high severity. No EPSS score is available, which indicates that the current exploitation probability is not quantified. The vulnerability is not listed in CISA's KEV catalog, but the lack of a KEV entry does not preclude attacker activity. Because the attack vector is unauthenticated local file inclusion, an adversary only needs to pose a crafted POST request to the plugin’s endpoint; no special credentials are required. If an attacker can read privileged files or place a malicious file in a location that the plugin may include, the impact can reach arbitrary code execution on the host, giving an attacker full control of the WordPress instance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

plasmatizemedia

Recover Exit For WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.3

No data.

Vendor Product Confidence Versions

Plasmatizemedia

Recover Exit For Woocommerce

100%

Version	Status	Scheme	Platform
`[0,1.0.3]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Recover Exit For WooCommerce to the newest release or remove the plugin if it is no longer required.
When an upgrade is not immediately possible, apply server‑side input validation to the 'tpf' parameter, enforcing a strict whitelist of allowed characters and rejecting any path‑traversal sequences such as '..' or leading slashes; this mitigates the CWE‑98 flaw.
Restrict file permissions on the plugin’s directory so that only files intended for inclusion are readable, and configure a web‑application firewall or the web server to block POST requests that include traversal patterns, while monitoring access logs for anomalous activity.

Generated by OpenCVE AI on June 9, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/tags/1.0.3/recover_exit_main.php#L41
https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/tags/1.0.3/recover_exit_main.php#L42
https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/tags/1.0.3/recoverexit_woocommerce.php#L52
https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/trunk/recover_exit_main.php#L41
https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/trunk/recover_exit_main.php#L42
https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/trunk/recoverexit_woocommerce.php#L52
https://www.wordfence.com/threat-intel/vulnerabilities/id/10552714-c8fb-455c-ad61-c0ef2db4b69f?source=cve

History

Tue, 09 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Plasmatizemedia Plasmatizemedia recover Exit For Woocommerce Wordpress Wordpress wordpress
Vendors & Products		Plasmatizemedia Plasmatizemedia recover Exit For Woocommerce Wordpress Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
Title		Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter
Weaknesses		CWE-98
References		https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/tags/1.0.3/recover_exit_main.php#L41 https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/tags/1.0.3/recover_exit_main.php#L42 https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/tags/1.0.3/recoverexit_woocommerce.php#L52 https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/trunk/recover_exit_main.php#L41 https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/trunk/recover_exit_main.php#L42 https://plugins.trac.wordpress.org/browser/recoverexit-for-woocommerce/trunk/recoverexit_woocommerce.php#L52 https://www.wordfence.com/threat-intel/vulnerabilities/id/10552714-c8fb-455c-ad61-c0ef2db4b69f?source=cve
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Plasmatizemedia Recover Exit For Woocommerce

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-09T03:41:18.003Z

Updated: 2026-06-09T14:55:09.688Z

Reserved: 2026-05-26T22:28:08.137Z

Link: CVE-2026-9662

Vulnrichment

Updated: 2026-06-09T14:55:04.132Z

NVD

Status : Deferred

Published: 2026-06-09T05:16:41.350

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-9662

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T08:56:15Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object