Cyber Posture

CVE-2026-0926

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2027 95.6th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Description

The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary…

more

files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the LFI flaw by updating the Prodigy Commerce plugin beyond version 3.3.0 to apply the available patch.

SI-10 Information Input Validation good match
prevent

Requires validation of the 'parameters[template_name]' input to prevent path traversal attacks enabling arbitrary file inclusion and execution.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Facilitates scanning for CVE-2026-0926 in WordPress plugins to identify vulnerable Prodigy Commerce installations prior to exploitation.

Security SummaryAI

CVE-2026-0926 is a Local File Inclusion (LFI) vulnerability (CWE-98) in the Prodigy Commerce plugin for WordPress, affecting all versions up to and including 3.3.0. The flaw exists via the 'parameters[template_name]' parameter, which allows improper handling of file paths, enabling attackers to include and potentially execute arbitrary files on the server. With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents a critical risk due to its high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows reading arbitrary files, executing PHP code within included files, bypassing access controls, and obtaining sensitive data. Additionally, if images or other "safe" file types containing PHP code can be uploaded, attackers can achieve remote code execution on the server.

References point to specific code locations in the plugin's source, such as class-prodigy-template.php at line 55 and class-prodigy-public.php at line 491, highlighting the vulnerable template loading logic. A changeset at https://plugins.trac.wordpress.org/changeset/3464655/ indicates a patch has been applied in newer versions, suggesting mitigation through updating the Prodigy Commerce plugin beyond version 3.3.0 via the WordPress plugin repository.

Details

CWE(s)
CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

CVE-2026-0926 is an unauthenticated LFI vulnerability in a public-facing WordPress plugin enabling arbitrary file reads (T1005: Data from Local System) and remote code execution via file inclusion, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References