CVE-2026-9062

Vulnerability

The Store Locator WordPress plugin before version 1.6.9 contains a path traversal vulnerability. The plugin does not validate a parameter before using it in a file path, enabling an attacker to traverse directories and read arbitrary .php files from the server [1]. This affects all versions prior to 1.6.9.

Exploitation

To exploit this, an attacker must have high-privileged access, such as administrator-level credentials. By sending a crafted request with a path traversal sequence in the vulnerable parameter, the attacker can read any .php file on the server [1]. No additional user interaction is required beyond having admin privileges.

Impact

Successful exploitation leads to information disclosure of sensitive .php files, including wp-config.php, which contains database credentials and authentication keys [1]. This can compromise the entire WordPress site and potentially other services sharing the same database or secrets.

Mitigation

The vulnerability is fixed in version 1.6.9 of the plugin [1]. Users should update to this version immediately. No other workarounds are documented. The plugin is not known to be listed in CISA's KEV catalog.