CVE-2026-0926
Local File Inclusion in Prodigy Commerce Plugin Enables Code Execution
Publication date: 2026-02-19
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prodigy_commerce | plugin | to 3.2.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Prodigy Commerce plugin for WordPress has a vulnerability called Local File Inclusion (LFI) in all versions up to and including 3.2.9. This vulnerability exists in the 'parameters[template_name]' parameter.
An unauthenticated attacker can exploit this flaw to include and read arbitrary files on the server or execute arbitrary files, including PHP code. This means the attacker can run any PHP code contained in those files.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including bypassing access controls, obtaining sensitive data stored on the server, and executing arbitrary code. This could lead to full compromise of the affected server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know