PatchSiren cyber security CVE debrief
CVE-2026-9062 Store Locator CVE debrief
CVE-2026-9062 is a vulnerability in the Store Locator WordPress plugin before version 1.6.9. The plugin does not properly validate a parameter before using it in a file path, which allows high-privileged users, such as administrators, to read arbitrary `.php` files from the server. This includes configuration files that contain database credentials and authentication keys.
- Vendor
- Store Locator
- Product
- Store Locator WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-13
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-13
- Advisory updated
- 2026-06-13
Who should care
Users of the Store Locator WordPress plugin, particularly those with high privileges such as administrators, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The Store Locator WordPress plugin before 1.6.9 is vulnerable to a file path traversal attack. An attacker with high privileges, such as an administrator, can exploit this vulnerability to read arbitrary `.php` files from the server, including configuration files that contain sensitive information such as database credentials and authentication keys.
Defensive priority
High
Recommended defensive actions
- Update the Store Locator WordPress plugin to version 1.6.9 or later.
- Limit access to sensitive files and configuration files.
- Monitor server logs for suspicious activity.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4].
Official resources
-
CVE-2026-9062 CVE record
CVE.org
-
CVE-2026-9062 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9062 was published on 2026-06-13T07:16:14.757Z and has not been modified since then.