Security Advisory - Published 2026-06-09 - WooCommerce plugin

Recover Exit for WooCommerce CVE-2026-9662: LFI Self-Check

CVE-2026-9662 affects Recover Exit for WooCommerce versions up to and including 1.0.3. The vulnerable path is a local file inclusion issue: a user-controlled tpf POST value reaches an include() path in the recover_exit() flow without enough validation.

What this means: The immediate issue is local file inclusion and path traversal. It can expose sensitive local files and, in some hosting setups, can become code execution if an attacker can place PHP content where the include path can reach it.

Who is affected

  • Plugin: Recover Exit for WooCommerce, slug recoverexit-for-woocommerce
  • CVE: CVE-2026-9662
  • Affected versions: 1.0.3 and earlier
  • Attack surface: unauthenticated POST path into the recover-exit handler
  • Impact: local file inclusion, sensitive file exposure, and possible code execution in certain chains

10-minute self-check

Step 1: Check whether the plugin exists

wp plugin list | grep recoverexit-for-woocommerce
wp plugin get recoverexit-for-woocommerce --field=version

If the plugin is present and version 1.0.3 or earlier, treat it as exposed. If the store no longer needs the exit-intent recovery feature, disable it before deeper review.

Step 2: Disable or remove the plugin safely

wp plugin deactivate recoverexit-for-woocommerce
wp plugin delete recoverexit-for-woocommerce

Do this during a short maintenance window for WooCommerce stores. Confirm checkout, cart, and abandoned-cart flows after removal.

Step 3: Review web logs

Search for unusual POST traffic against WordPress AJAX endpoints and plugin paths. Do not replay suspicious requests.

grep -R "recoverexit\\|recover_exit\\|admin-ajax.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -120

Step 4: Check for follow-on artifacts

  • Unexpected PHP files in uploads, cache, backup, or temporary folders.
  • Modified plugin files under wp-content/plugins/recoverexit-for-woocommerce/.
  • New administrators, changed payment settings, or modified checkout scripts.
  • Server logs showing direct access to local files or odd include paths.

Safe fix path

  1. Deactivate the plugin. Remove it if no fixed release is available from a trusted source.
  2. Preserve suspicious logs. Keep web logs before rotating or clearing cache.
  3. Check WooCommerce integrity. Review payment gateways, checkout scripts, admin users, and recent plugin installs.
  4. Harden file execution. Block PHP execution in uploads and cache directories.
  5. Rotate secrets if suspicious traffic succeeded. Include WordPress admins, database password, API keys, and payment integration tokens.

When to request repair help

Ask for help if the plugin was active on a public store, logs show suspicious POST traffic, or you find unexpected PHP files after disabling it. Start from Ping7 CVE repair and include the domain, plugin version, whether WooCommerce checkout was active, and the first suspicious timestamp.

References