Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter
CVE-2026-9662

8.1HIGH

Key Information:

Vendor: WordPress
Status: Recover Exit For WooCommerce
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-9662?

The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled tpf POST parameter before it is used in an include() path in the recover_exit() function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.

Affected Version(s)

Recover Exit For WooCommerce 0 <= 1.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/recoverexit-fo...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 26, 2026

Credit

Le Nguyen Khang

CVE-2026-9662 Data

JSON