Security Advisory - Published 2026-06-09 - WooCommerce plugin
Recover Exit for WooCommerce CVE-2026-9662: LFI Self-Check
CVE-2026-9662 affects Recover Exit for WooCommerce versions up to and including
1.0.3. The vulnerable path is a local file inclusion issue: a user-controlled
tpf POST value reaches an include() path in the
recover_exit() flow without enough validation.
Who is affected
- Plugin: Recover Exit for WooCommerce, slug
recoverexit-for-woocommerce - CVE: CVE-2026-9662
- Affected versions: 1.0.3 and earlier
- Attack surface: unauthenticated POST path into the recover-exit handler
- Impact: local file inclusion, sensitive file exposure, and possible code execution in certain chains
10-minute self-check
Step 1: Check whether the plugin exists
wp plugin list | grep recoverexit-for-woocommerce
wp plugin get recoverexit-for-woocommerce --field=version If the plugin is present and version 1.0.3 or earlier, treat it as exposed. If the store no longer needs the exit-intent recovery feature, disable it before deeper review.
Step 2: Disable or remove the plugin safely
wp plugin deactivate recoverexit-for-woocommerce
wp plugin delete recoverexit-for-woocommerce Do this during a short maintenance window for WooCommerce stores. Confirm checkout, cart, and abandoned-cart flows after removal.
Step 3: Review web logs
Search for unusual POST traffic against WordPress AJAX endpoints and plugin paths. Do not replay suspicious requests.
grep -R "recoverexit\\|recover_exit\\|admin-ajax.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -120 Step 4: Check for follow-on artifacts
- Unexpected PHP files in uploads, cache, backup, or temporary folders.
- Modified plugin files under
wp-content/plugins/recoverexit-for-woocommerce/. - New administrators, changed payment settings, or modified checkout scripts.
- Server logs showing direct access to local files or odd include paths.
Safe fix path
- Deactivate the plugin. Remove it if no fixed release is available from a trusted source.
- Preserve suspicious logs. Keep web logs before rotating or clearing cache.
- Check WooCommerce integrity. Review payment gateways, checkout scripts, admin users, and recent plugin installs.
- Harden file execution. Block PHP execution in uploads and cache directories.
- Rotate secrets if suspicious traffic succeeded. Include WordPress admins, database password, API keys, and payment integration tokens.
When to request repair help
Ask for help if the plugin was active on a public store, logs show suspicious POST traffic, or you find unexpected PHP files after disabling it. Start from Ping7 CVE repair and include the domain, plugin version, whether WooCommerce checkout was active, and the first suspicious timestamp.