Unrated severityNVD Advisory· Published Jun 19, 2026

Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parameter

CVE-2026-7547

Description

The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the render_logs_ui() function, which accepts a base64-encoded file name from the 'log_file' GET parameter and concatenates it directly with the plugin's log directory path without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers, with Administrator-level access, to read the contents of arbitrary files on the server, including wp-config.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Marktplaats For Woocommerceinferred2 versions
<=2.0.4+ 1 more
- (no CPE)range: <=2.0.4
- (no CPE)range: <=2.0.4
Package: https://wordpress.org/plugins/marktplaats-for-woocommerce

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

25 WordPress Plugin CVEs Drop in Two Days: Critical File Deletion, SSRF, and XSS Lead the Batch
Vypr Intelligence · Jun 19, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000