Description
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Published: 2026-02-19
Score: 9.8 Critical
EPSS: 20.3% Moderate
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Prodigy Commerce WordPress plugin is vulnerable to Local File Inclusion through the 'parameters[template_name]' input. An attacker who can craft the request can cause the server to read or execute arbitrary files, enabling the execution of server‑side PHP. This permits bypassing access controls, leaking sensitive data, or running malicious code on the server, with potential full system compromise. The weakness is a classic unchecked include of an arbitrary path, identified as CWE-98.

Affected Systems

All users of Prodigy Commerce plugin versions 3.3.0 and earlier are affected. The vulnerability exists in the core templates and shortcode handling code of the plugin. Affected versions are all releases up to and including 3.3.0; no specific patch version is supplied in the CNA data, but newer versions beyond 3.3.0 have removed the vulnerable call.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and an EPSS of 20% signals a fairly high likelihood of exploitation in the next 12‑month period. The vulnerability is not currently listed in CISA’s KEV catalog, but the high score and exploit probability warrant urgent attention. The attack vector is inferred from the description: the unauthenticated attacker can supply a crafted 'parameters[template_name]' value that points to any file on the server, such as php or configuration files, resulting in code execution. The environment must allow the request to reach the vulnerable plugin, so the trigger is remote HTTP traffic.

Generated by OpenCVE AI on April 19, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prodigy Commerce to any version newer than 3.3.0.
  • If an upgrade is not immediately possible, modify the plugin to validate 'parameters[template_name]' against a whitelist or restrict it to the plugin’s template directory.
  • Configure a web application firewall or use WordPress security plugins to detect and block suspicious LFI patterns on the site.

Generated by OpenCVE AI on April 19, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.9 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] Prodigy Commerce <= 3.3.0 - Unauthenticated Local File Inclusion via parameters[template_name]
References

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Prodigycommerce
Prodigycommerce prodigy Commerce
Wordpress
Wordpress wordpress
Vendors & Products Prodigycommerce
Prodigycommerce prodigy Commerce
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.9 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name]
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Prodigycommerce Prodigy Commerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:16.108Z

Reserved: 2026-01-13T21:22:20.386Z

Link: CVE-2026-0926

cve-icon Vulnrichment

Updated: 2026-02-19T21:11:43.612Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:42.497

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-19T14:45:27Z

Weaknesses