HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9662Published Modified CNA Wordfence

CVE-2026-9662: Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter

The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows an unauthenticated remote attacker to manipulate the `tpf` POST parameter to traverse the file system and include arbitrary local PHP files. The vulnerability is reachable over the network with no credentials required, though exploitation demands some environmental setup. Successful exploitation exposes sensitive information and, in deployments where an attacker can stage a suitable file, enables remote code execution. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-9662 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and the NVD) within minutes of publication and matched against any customer image that packages the Recover Exit For WooCommerce plugin, including custom-built WordPress images. Scanning coverage extends to images in connected registries and to images built inside CI/CD pipelines before they reach production.

Available
Triage

Triage is available at CVSS 8.1 (HIGH, v3.1), with per-environment compliance policy weighting applied so that teams running internet-facing WooCommerce stores can have this finding escalated to the appropriate inbox automatically. HarborGuard surfaces the affected package version alongside the CVSS vector breakdown so responders can quickly confirm exposure scope without re-reading the full advisory.

Available
Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. In the meantime, HarborGuard surfaces compensating-control recommendations (described below) alongside the open finding so teams are not left waiting without guidance.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable `recover_exit()` function is reachable over the network via a crafted HTTP POST request, so the attacker must be able to reach the WordPress installation from the internet or an adjacent network.

  • AuthenticationNot required

    No account or session token is required; the `tpf` parameter is accepted from completely unauthenticated POST requests.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user or administrator of the target site.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning reliable exploitation depends on environmental factors such as the presence of a PHP-interpretable file the attacker can include; a naive path-traversal payload alone may not be sufficient without additional staging steps.

Blast Radius

  • An attacker reads local PHP files, including WordPress configuration files such as `wp-config.php`, exposing database credentials, authentication keys, and salts.
  • With database credentials in hand, an attacker queries or modifies stored WooCommerce order records, customer personally identifiable information, and payment metadata.
  • In deployments where the attacker can first write a PHP-executable file to disk (for example, via an upload endpoint or server-side log poisoning), file inclusion escalates to arbitrary code execution on the web server process.
  • Full compromise of confidentiality, integrity, and availability of the affected WordPress installation is achievable in those deployable-file scenarios, consistent with the CVSS C:H/I:H/A:H rating.

How HarborGuard Handles This

Available on HarborGuard: any image containing the Recover Exit For WooCommerce plugin at version 1.0.3 or below is flagged as affected, and the finding is held open and re-evaluated on every advisory ingest cycle until an upstream fix is published. Because no patched version exists today, HarborGuard recommends the following compensating controls for affected environments: (1) apply network policy to restrict inbound POST requests to the affected WordPress endpoint at the ingress or WAF layer; (2) where the plugin functionality is not actively required, consider disabling or removing the plugin entirely and rebuilding the image with it excluded; (3) audit upload directories and log paths on the host to reduce the risk of file-staging that could turn file inclusion into code execution. For customers who opt into auto-remediation, a patched-image rebuild and regression-test run will be triggered automatically the moment an upstream fix version is published, and a PR will be opened against affected workloads with no manual intervention required.

See how HarborGuard automates this
Affected packages
  • plasmatizemedia / Recover Exit For WooCommerce
    ≤ 1.0.3
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References