Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely. [已公开] id: CVE-2026-0926 info: name: Prodigy Commerce <= 3.3.0 - Local File Inclusion author: Shivam Kamboj severity: critical description: | Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely. impact: | Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and access sensitive data, potentially leading to full server compromise. remediation: | Update to the latest version beyond 3.2.9. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/prodigy-commerce/prodigy-commerce-329-unauthenticated-local-file-inclusion-via-parameterstemplate-name - https://nvd.nist.gov/vuln/detail/CVE-2026-0926 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2026-0926 epss-score: 0.16696 epss-p

Prodigy Commerce

POC: 已公开