CVE-2026-0926
published 2026-02-19CVE-2026-0926: The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]'…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.40%
94.8th percentile
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prodigycommerce | prodigy_commerce | <= 3.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=prodigy-render-my-account-widget&nonce={{nonce}}¶meters[template_name]=etc/passwd¶meters[default_path]=/↗
- →Monitor POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'prodigy-render-my-account-widget' and a 'parameters[template_name]' value containing path traversal sequences or absolute paths (e.g., 'etc/passwd', '/etc/passwd'). ↗
- →The exploit is unauthenticated — no session cookie or authentication header is required. Flag unauthenticated POST requests to admin-ajax.php with this action as high-priority. ↗
- →The attacker first performs a GET to the WordPress homepage to extract a nonce value matching the regex 'var settings\s*=\s*{[^}]*"nonce":"([^"]+)"' from the page body, then uses it in the subsequent exploit POST. Correlate a GET to the homepage followed immediately by a POST to admin-ajax.php from the same source IP. ↗
- →The 'parameters[default_path]' parameter is set to '/' in the exploit, enabling absolute path traversal. Presence of both 'parameters[template_name]' and 'parameters[default_path]=/' in a single request is a strong indicator of exploitation. ↗
- →Successful exploitation returns a JSON response with a 'data.html' key containing the file contents. Detect responses from admin-ajax.php containing 'root:' followed by ':0:0:' as evidence of successful /etc/passwd disclosure. ↗
- ·The vulnerable parameter 'parameters[template_name]' combined with 'parameters[default_path]' allows arbitrary file inclusion. The default_path value of '/' enables absolute path traversal, meaning attackers are not limited to relative paths — any file readable by the web server process can be targeted. ↗
- ·The vulnerability affects all versions up to and including 3.3.0. The exploit code references version 3.2.9 as tested, but NVD confirms 3.3.0 is also vulnerable. Detection rules should not be version-gated. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Prodigy Commerce 3.3.0 - Local File Inclusion
exploitdb·2026-05-29·CVSS 9.8
CVE-2026-0926 [CRITICAL] Prodigy Commerce 3.3.0 - Local File Inclusion
Prodigy Commerce 3.3.0 - Local File Inclusion
---
# Exploit Title: Prodigy Commerce 3.3.0 - Local File Inclusion
# Date: 23-05-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://prodigycommerce.com/
# Software Link: https://wordpress.org/plugins/prodigy-commerce/
# Version: 3.2.9
# Tested on: Debian
# CVE : CVE-2026-0926
# Description: Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
import httpx
import asyncio
import re
from urllib.parse import urljoin
import argparse
def get_nonce(base_url):
with httpx.Client(verify=False) as client:
r = client.get(url=base_url)
match = re.search(r'var settings
Nuclei
Prodigy Commerce <= 3.3.0 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2026-0926 [CRITICAL] Prodigy Commerce <= 3.3.0 - Local File Inclusion
Prodigy Commerce <= 3.3.0 - Local File Inclusion
Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
Template:
id: CVE-2026-0926
info:
name: Prodigy Commerce <= 3.3.0 - Local File Inclusion
author: Shivam Kamboj
severity: critical
description: |
Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
impact: |
Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and access sensitive data, potentially leading to fu
https://plugins.trac.wordpress.org/browser/prodigy-commerce/tags/3.2.9/includes/helpers/class-prodigy-template.php#L55https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/class-prodigy-public.php#L491https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/shortcodes/class-prodigy-short-code-my-account.php#L69https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/helpers/class-prodigy-template.php#L55https://plugins.trac.wordpress.org/changeset/3464655/https://www.wordfence.com/threat-intel/vulnerabilities/id/de255530-6b2d-426b-9f80-dbfebd2e3307?source=cve
2026-02-19
Published