CVE-2026-0926
📋 TL;DR
The Prodigy Commerce WordPress plugin has a Local File Inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP code on the server. This affects all WordPress sites using Prodigy Commerce versions up to 3.2.9. Attackers can bypass access controls, steal sensitive data, or achieve remote code execution.
💻 Affected Systems
- Prodigy Commerce WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, data exfiltration, and complete site takeover.
Likely Case
Sensitive file disclosure (configuration files, database credentials) leading to further exploitation.
If Mitigated
Limited impact if proper file permissions and web application firewalls block malicious requests.
🎯 Exploit Status
Exploitation requires minimal technical skill due to public details and unauthenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/prodigy-commerce
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Prodigy Commerce and update to version 3.3.0 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing malicious file inclusion patterns in the parameters[template_name] parameter.
WAF-specific configuration required
Disable Plugin
linuxTemporarily disable Prodigy Commerce plugin until patched.
wp plugin deactivate prodigy-commerce
🧯 If You Can't Patch
- Remove the plugin entirely from production systems.
- Implement strict file system permissions to limit PHP file access.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Prodigy Commerce version 3.2.9 or earlier.Check Version:
wp plugin list --name=prodigy-commerce --field=versionVerify Fix Applied:
Confirm Prodigy Commerce version is 3.3.0 or later in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with parameters[template_name] containing path traversal sequences (../, /etc/passwd, etc.)
- Unusual file access patterns in web server logs
Network Indicators:
- Incoming requests to WordPress endpoints with suspicious template parameters
SIEM Query:
source="web_logs" AND (uri_path="*prodigy*" AND parameters CONTAINS "template_name")🔗 References
- https://plugins.trac.wordpress.org/browser/prodigy-commerce/tags/3.2.9/includes/helpers/class-prodigy-template.php#L55
- https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/class-prodigy-public.php#L491
- https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/shortcodes/class-prodigy-short-code-my-account.php#L69
- https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/helpers/class-prodigy-template.php#L55
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de255530-6b2d-426b-9f80-dbfebd2e3307?source=cve
