CVE-2026-0926

CRITICAL NUCLEI

Prodigy Commerce WordPress Plugin <3.2.9 - LFI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-0926. PoCs published by Diamorphine, diamorphine666, Sechunt3r. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Prodigy Commerce WordPress plugin <= 3.2.9 by manipulating the 'parameters[template_name]' parameter in an AJAX request. It retrieves a nonce from the target site and uses it to include arbitrary files, such as /etc/passwd, via the admin-ajax.php endpoint.

Description

The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Exploits (3)

exploitdb WORKING POC
by Diamorphine · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52598

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Prodigy Commerce WordPress plugin <= 3.2.9 by manipulating the 'parameters[template_name]' parameter in an AJAX request. It retrieves a nonce from the target site and uses it to include arbitrary files, such as /etc/passwd, via the admin-ajax.php endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Prodigy Commerce WordPress plugin <= 3.2.9
No auth needed
Prerequisites: Target must have the vulnerable Prodigy Commerce plugin installed and accessible · The admin-ajax.php endpoint must be reachable
devstral-2 · analyzed May 30, 2026 Full analysis →
github WORKING POC
by diamorphine666 · pythonpoc
https://github.com/diamorphine666/CVE-2026-0926-exploit

This Python script exploits a local file inclusion vulnerability in Prodigy Commerce WordPress plugin <= 3.2.9 by sending a crafted POST request to admin-ajax.php with an unsanitized 'parameters[template_name]' parameter. It retrieves a nonce from the target site and uses it to read arbitrary files (default: /etc/passwd).

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Prodigy Commerce WordPress plugin <= 3.2.9
No auth needed
Prerequisites: Target must have Prodigy Commerce plugin <= 3.2.9 installed · WordPress admin-ajax.php must be accessible
devstral-2 · analyzed May 24, 2026 Full analysis →
github WORKING POC
by Sechunt3r · shellpoc
https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2026-0926

This repository contains a functional exploit for CVE-2026-0926, an unauthenticated Local File Inclusion (LFI) vulnerability in Prodigy Commerce WordPress plugin <= 3.3.0. The exploit uses a two-step process: extracting a nonce from the frontend and then sending a crafted AJAX request to include arbitrary files via the 'parameters[template_name]' parameter.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Prodigy Commerce WordPress plugin <= 3.3.0
No auth needed
Prerequisites: WordPress site with Prodigy Commerce plugin <= 3.3.0 installed and active
devstral-2 · analyzed Mar 13, 2026 Full analysis →

Nuclei Templates (1)

Prodigy Commerce <= 3.3.0 - Local File Inclusion
CRITICALVERIFIEDby Shivam Kamboj

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.2909
EPSS Percentile 96.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-98
Status published
Products (2)
prodigycommerce/Prodigy Commerce < 3.2.9
prodigycommerce/Prodigy Commerce < 3.3.0
Published Feb 19, 2026
Tracked Since Feb 19, 2026