CVE-2026-7547 Overview
CVE-2026-7547 is a path traversal vulnerability [CWE-22] affecting the Woosa – Marktplaats for WooCommerce plugin for WordPress in versions up to and including 2.0.4. The flaw resides in the render_logs_ui() function, which accepts a base64-encoded file name from the log_file GET parameter. The function concatenates this value with the plugin's log directory path without validating that the resolved path stays within the intended directory. Authenticated attackers with Administrator-level access can read arbitrary files on the server, including wp-config.php.
Critical Impact
Administrators can read arbitrary files on the WordPress server, exposing database credentials, authentication keys, and other secrets stored in wp-config.php.
Affected Products
- Woosa – Marktplaats for WooCommerce plugin for WordPress
- All versions up to and including 2.0.4
- Fixed in version 2.0.5
Discovery Timeline
- 2026-06-19 - CVE-2026-7547 published to the National Vulnerability Database (NVD)
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-7547
Vulnerability Analysis
The vulnerability exists in class-module-logger-hook-settings.php within the woosa/logger vendor component bundled with the plugin. The render_logs_ui() function builds a file path by decoding the base64-encoded log_file GET parameter and appending it to the plugin's log directory. The plugin performs no canonicalization or boundary check on the resulting path.
An attacker can supply a base64-encoded payload containing ../ sequences to traverse outside the log directory. The function then reads the targeted file and renders its contents in the administrative interface. Targets include wp-config.php, which holds database credentials, salts, and the AUTH_KEY constants.
Exploitation requires Administrator privileges, which limits the attacker pool but raises the impact when an administrator account is compromised through phishing, credential stuffing, or chained vulnerabilities.
Root Cause
The root cause is insufficient path sanitization. The plugin trusts the decoded log_file value as a safe relative file name. It does not call a canonicalization routine such as realpath() or verify that the resolved path remains within the expected log directory before invoking file read operations.
Attack Vector
The attack is network-based and requires authentication as an Administrator. An attacker issues a crafted GET request to the plugin's logs UI endpoint with a base64-encoded path traversal payload in the log_file parameter. The server decodes the value, resolves a path outside the log directory, and returns the file contents to the attacker.
The vulnerability mechanism is described in detail in the Wordfence Vulnerability Details and the affected source is available in the WordPress Logger Class Settings reference.
Detection Methods for CVE-2026-7547
Indicators of Compromise
- Web server access log entries containing the log_file GET parameter with long base64-encoded values targeting the plugin's admin endpoint.
- Base64-decoded log_file values containing ../, ..%2f, or absolute paths such as /wp-config.php or /etc/passwd.
- Unexpected reads of wp-config.php or other sensitive files originating from the PHP worker process during administrator sessions.
Detection Strategies
- Inspect HTTP request logs for requests to the Marktplaats for WooCommerce logger interface that include a log_file parameter, and decode the value to check for traversal sequences.
- Apply Web Application Firewall (WAF) rules that decode base64 parameters and block requests containing path traversal patterns.
- Correlate administrator authentication events with file access telemetry to surface anomalous reads of configuration files.
Monitoring Recommendations
- Monitor WordPress administrator session activity for unusual visits to plugin log management pages.
- Alert on file read operations targeting wp-config.php, .htaccess, and files outside the plugin's expected directories.
- Track plugin version inventory across WordPress installations and flag any host running Marktplaats for WooCommerce 2.0.4 or earlier.
How to Mitigate CVE-2026-7547
Immediate Actions Required
- Update the Woosa – Marktplaats for WooCommerce plugin to version 2.0.5 or later on all WordPress sites.
- Rotate WordPress database credentials, secret keys, and salts in wp-config.php if Administrator accounts may have been compromised.
- Audit Administrator accounts, enforce strong passwords, and enable multi-factor authentication.
Patch Information
The vendor addressed the issue in version 2.0.5. The fix is visible in the WordPress Plugin Change Set and the patched source is available in the updated Logger Class Settings file.
Workarounds
- Temporarily deactivate the Marktplaats for WooCommerce plugin until the patched version is deployed.
- Restrict administrative access to trusted IP ranges through web server or WAF rules.
- Deploy a WAF rule that decodes the log_file parameter and blocks traversal sequences such as ../ and ..%2f.
# Example WAF rule pseudo-configuration to block traversal in log_file parameter
SecRule ARGS:log_file "@rx (\.\./|\.\.%2f|%2e%2e/)" \
"id:1026754701,phase:2,deny,status:403,t:base64Decode,t:lowercase,\
msg:'CVE-2026-7547 path traversal attempt in Marktplaats plugin log_file parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

