cbcvebase.
CVE-2026-0926
published 2026-02-19

CVE-2026-0926: The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]'…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.40%
94.8th percentile
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affected

1 ranges
VendorProductVersion rangeFixed in
prodigycommerceprodigy_commerce<= 3.3.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=prodigy-render-my-account-widget&nonce={{nonce}}&parameters[template_name]=etc/passwd&parameters[default_path]=/
pathparameters[template_name]
  • Monitor POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'prodigy-render-my-account-widget' and a 'parameters[template_name]' value containing path traversal sequences or absolute paths (e.g., 'etc/passwd', '/etc/passwd').
  • The exploit is unauthenticated — no session cookie or authentication header is required. Flag unauthenticated POST requests to admin-ajax.php with this action as high-priority.
  • The attacker first performs a GET to the WordPress homepage to extract a nonce value matching the regex 'var settings\s*=\s*{[^}]*"nonce":"([^"]+)"' from the page body, then uses it in the subsequent exploit POST. Correlate a GET to the homepage followed immediately by a POST to admin-ajax.php from the same source IP.
  • The 'parameters[default_path]' parameter is set to '/' in the exploit, enabling absolute path traversal. Presence of both 'parameters[template_name]' and 'parameters[default_path]=/' in a single request is a strong indicator of exploitation.
  • Successful exploitation returns a JSON response with a 'data.html' key containing the file contents. Detect responses from admin-ajax.php containing 'root:' followed by ':0:0:' as evidence of successful /etc/passwd disclosure.
  • ·The vulnerable parameter 'parameters[template_name]' combined with 'parameters[default_path]' allows arbitrary file inclusion. The default_path value of '/' enables absolute path traversal, meaning attackers are not limited to relative paths — any file readable by the web server process can be targeted.
  • ·The vulnerability affects all versions up to and including 3.3.0. The exploit code references version 3.2.9 as tested, but NVD confirms 3.3.0 is also vulnerable. Detection rules should not be version-gated.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.