cleantalk
Vulnerabilities and Security Researches

Recover Exit For WooCommerce, CVE-2026-9662

CVE, Research URL

CVE-2026-9662

Home page URL

Security reports for Recover Exit For WooCommerce

Application

Recover Exit For WooCommerce

Published on
Jun 09, 2026
Research Description
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
Affected versions
max 1.0.3.
Status
vulnerable
Previous vulnerability researches
Montonio for WooCommerce (CVE-2026-48873) , Jun 11, 2026
Montonio for WooCommerce (CVE-2022-40700) , Jun 07, 2024
New vulnerability
Recover Exit For WooCommerce (CVE-2026-9662) , Jun 11, 2026
Montonio for WooCommerce (CVE-2026-48873) , Jun 11, 2026
Background Image Cropper (CVE-2024-58348) , Jun 11, 2026
ELEX WordPress HelpDesk & Customer Ticketing System (CVE-2026-48964) , Jun 11, 2026
Helpfulcrowd Product Reviews (CVE-2026-8499) , Jun 11, 2026