CVE-2026-9662 plasmatizemedia CVE debrief

Who should care

Users of the Recover Exit For WooCommerce plugin for WordPress, particularly those with versions up to and including 1.0.3.

Technical summary

The vulnerability exists in the Recover Exit For WooCommerce plugin for WordPress, specifically in the `recover_exit()` function where the user-controlled `tpf` POST parameter is used in an `include()` path without proper validation and sanitization. This allows unauthenticated attackers to perform path traversal attacks, potentially leading to sensitive information exposure and code execution.

Defensive priority

HIGH

Recommended defensive actions

• Update the Recover Exit For WooCommerce plugin to a version beyond 1.0.3.
• Implement additional security measures such as input validation and sanitization for user-controlled parameters.
• Monitor for suspicious activity and implement logging and alerting for potential security incidents.

Evidence notes

The vulnerability was reported by [email protected] and is documented in various references including [ref-4], [ref-5], [ref-6], [ref-7], [ref-8], [ref-9], and [ref-10].

Official resources