NVD · CVE-2026-9062

CVE-2026-9062

Published: Sat, 13 Jun 2026 07:16

CVE-2026-9062

Summary

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from

Details

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

Are YOU affected by CVE-2026-9062?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-9062 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

References

https://wpscan.com/vulnerability/14014b6b-ce49-4778-822c-026ecafa1772/

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.

Start free trial →See StackPatch →Live audit log →