Home

Description

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

PUBLISHED Reserved 2026-05-20 | Published 2026-06-13 | Updated 2026-06-15 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 1.6.9
affected

Credits

Abisheik M finder

WPScan coordinator

References

wpscan.com/...rability/14014b6b-ce49-4778-822c-026ecafa1772/ exploit vdb-entry technical-description

cve.org (CVE-2026-9062)

nvd.nist.gov (CVE-2026-9062)

Download JSON