CVE-2026-9662

Name of the Vulnerable Software and Affected Versions Recover Exit For WooCommerce versions prior to 1.0.4

Description The plugin is subject to Local File Inclusion due to insufficient validation and sanitization of the tpf POST parameter within the recover exit() function. This allows unauthenticated attackers to use path traversal to include unintended local PHP files, potentially leading to the exposure of sensitive information or remote code execution depending on the server configuration.

Recommendations Update to a version later than 1.0.3. As a temporary workaround, restrict access to the recover exit() function or sanitize the tpf parameter to prevent path traversal.