CVE-2026-9062EPSS p17.5%

CVE-2026-9062CVE-2026-9062

Description

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

Scoring

CVSS 3.4 ()
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
EPSS0.26% probability of exploitation · percentile 17.5% · 2026-06-19T12:03:05Z
Last modified2026-06-15
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.