CVE-2026-7547

Name of the Vulnerable Software and Affected Versions Woosa – Marktplaats for WooCommerce versions prior to 2.0.5

Description Insufficient path sanitization in the render logs ui() function allows authenticated attackers with Administrator-level access to read arbitrary files on the server, such as wp-config. The issue occurs because the plugin accepts a base64-encoded file name via the 'log file' GET parameter and concatenates it with the log directory path without verifying that the resulting path stays within the intended directory. This leads to a Path Traversal, which is a technique used to access files and directories that are stored outside the web root folder.

Recommendations Update to a version later than 2.0.4. As a temporary workaround, restrict access to the render logs ui() function or the 'log file' parameter until the update is applied.