All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-9062
LOWpublished 2026-06-13 07:16 UTC · 12 days ago · modified 2026-06-15 20:50 UTC
3.4
CVSS / 10
// description
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
// weaknesses (CWE)
- CWE-22