CVE-2026-9062: Store Locator Path Traversal Vulnerability

CVE-2026-9062 Overview

CVE-2026-9062 is a path traversal vulnerability [CWE-22] in the Store Locator WordPress plugin versions prior to 1.6.9. The plugin fails to validate a user-supplied parameter before using it to construct a file path. Authenticated users with administrator-level privileges can supply traversal sequences to read arbitrary .php files from the server. Targeted files include WordPress configuration files containing database credentials and authentication keys. Successful exploitation discloses sensitive secrets that attackers can repurpose to expand access or pivot deeper into the host environment.

Critical Impact

An authenticated administrator can read arbitrary .php files on the WordPress host, including wp-config.php, exposing database credentials and authentication keys.

Affected Products

• Store Locator WordPress plugin versions prior to 1.6.9
• WordPress sites running the vulnerable plugin with administrator accounts exposed
• Multi-site installations where compromised admins can read shared configuration files

Discovery Timeline

• 2026-06-13 - CVE-2026-9062 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-9062

Vulnerability Analysis

The Store Locator plugin accepts a parameter that is concatenated directly into a file path used for inclusion or read operations. The plugin does not validate, sanitize, or normalize the input before performing the file system access. An attacker can supply directory traversal sequences such as ../ to escape the intended directory and reach files elsewhere on the server. Because the routine is restricted to .php files, the most attractive targets are WordPress configuration files like wp-config.php, which contain database credentials, AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY values. Disclosure of these secrets enables credential reuse, session forgery, and database access from any network path that reaches the MySQL service.

Root Cause

The root cause is missing input validation on a file path parameter [CWE-22]. The plugin trusts a request parameter and passes it to a file read function without enforcing a whitelist, canonicalizing the path, or constraining the result to an expected base directory.

Attack Vector

Exploitation requires an authenticated administrator session and user interaction with a crafted request. The attacker submits a request containing a traversal payload in the vulnerable parameter. The plugin resolves the path and returns the contents of the targeted .php file. Because the precondition is administrator privileges, the practical risk centers on compromised or malicious admin accounts, supply chain scenarios involving managed admin users, and cross-site request abuse against authenticated administrators. Refer to the WPScan Vulnerability Report for technical details.

Detection Methods for CVE-2026-9062

Indicators of Compromise

• HTTP requests to Store Locator plugin endpoints containing ../ sequences or encoded variants such as %2e%2e%2f in parameter values
• Web server access logs showing administrator-authenticated requests that reference paths outside the plugin directory
• Unexpected reads of wp-config.php or other sensitive .php files correlated with plugin request handlers

Detection Strategies

• Inspect web server and PHP access logs for requests targeting Store Locator handlers with suspicious path parameters
• Deploy a web application firewall rule that blocks traversal sequences in query and POST parameters destined for /wp-admin/ plugin endpoints
• Monitor file integrity and access auditing on wp-config.php for reads originating from the WordPress PHP worker process

Monitoring Recommendations

• Alert on administrator session activity that includes file path parameters or unusual query strings to plugin URLs
• Track outbound database authentication attempts from unexpected source IPs that may indicate reuse of disclosed credentials
• Enable WordPress audit logging to capture administrator actions and correlate them with web server request logs

How to Mitigate CVE-2026-9062

Immediate Actions Required

• Upgrade the Store Locator plugin to version 1.6.9 or later on all WordPress installations
• Rotate WordPress salts and keys in wp-config.php and reset database credentials if the plugin was running an affected version
• Audit administrator accounts and remove unused or stale admin privileges to reduce the attack surface

Patch Information

The vendor addressed the vulnerability in Store Locator version 1.6.9. Updating to this version or later enforces validation on the affected parameter and prevents traversal outside the intended directory. See the WPScan Vulnerability Report for advisory details.

Workarounds

• Restrict administrator access to trusted IP ranges using .htaccess or reverse proxy rules until the patch is applied
• Enforce multi-factor authentication on all WordPress administrator accounts to limit account takeover risk
• Apply a WAF rule that rejects traversal patterns in requests to Store Locator plugin endpoints

# Example WAF rule pattern (ModSecurity) blocking traversal in plugin requests
SecRule REQUEST_URI "@contains store-locator" \
  "chain,deny,status:403,id:1009062,msg:'CVE-2026-9062 path traversal attempt'"
  SecRule ARGS "@rx (\.\./|%2e%2e%2f|%2e%2e/)" "t:none,t:lowercase"