CVE Catalog

CVE-2026-9062

LowCVSS 3.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server.

Risk Assessment

The ability to read configuration files containing database credentials and authentication keys poses a serious security risk to the organization.

Recommendation

It is recommended to update the Store Locator plugin to version 1.6.9 or later to mitigate this vulnerability.

Original NVD description (English source)

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS