Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal
CVE-2026-9062

Currently unrated

Key Information:

Vendor: WordPress
Status: Store Locator WordPress
Vendor: CVE Published:; 13 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9062?

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys.

Affected Version(s)

Store Locator WordPress 0 < 1.6.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9062 - Proof of Concept

References

https://wpscan.com/vulnerability/14014b6b-ce49-4778-822c-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 13, 2026
👾
Exploit known to exist
Jun 13, 2026
Vulnerability published
Jun 13, 2026
Vulnerability Reserved
May 20, 2026

Credit

Abisheik M

WPScan

CVE-2026-9062 Data

JSON