Local File Inclusion Vulnerability in Prodigy Commerce Plugin for WordPress
CVE-2026-0926

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Prodigy Commerce
Vendor: CVE Published:; 19 February 2026

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 20%

What is CVE-2026-0926?

The Prodigy Commerce plugin for WordPress is susceptible to Local File Inclusion due to inadequate input validation in the 'parameters[template_name]' parameter. This vulnerability allows unauthenticated attackers to read and include arbitrary files on the server. Such access enables the potential execution of arbitrary PHP code, leading to unauthorized access to sensitive data and the ability to bypass access controls. Attackers can exploit this vulnerability by uploading seemingly harmless file types, further escalating the risk of code execution on the affected server.

Affected Version(s)

Prodigy Commerce 0 <= 3.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-0926-exploit
Created by diamorphine666

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/prodigy-commer...

EPSS Score

20% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 24, 2026
👾
Exploit known to exist
May 24, 2026
Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Jan 13, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

Waris Damkham

CVE-2026-0926 Data

JSON