CRITICAL🇵🇱 Wersja polska

CVE-2026-0926

CVSS 9.8v3.1pub. 2026-02-19upd. 2026-04-15

The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

🤖 AI Analysis
How it works

The vulnerability results from improper validation of the 'parameters[template_name]' parameter passed by the user, which is subsequently used to include a file through the plugin's template mechanism. An attacker without any authentication can specify any file path on the server, resulting in its loading and — in the case of PHP files — execution of the code contained within it. A particularly dangerous scenario occurs when the service allows file uploads (e.g., images): an attacker can upload a file with embedded PHP code and then force its execution through this vulnerability.

Impact

An attacker can read arbitrary files from the server (including configuration data, credentials), bypass access control mechanisms, and execute arbitrary PHP code, which in practice means the ability to fully compromise the server (RCE).

Mitigation & patch

The Prodigy Commerce plugin must be immediately updated to a version higher than 3.3.0. According to available reference (changeset 3464655), the vendor published a fix in the WordPress repository. Until the update is applied, it is recommended to deactivate the plugin and restrict file upload capabilities for unprivileged users.

Who is affected

Prodigy Commerce plugin for WordPress in all versions up to and including 3.3.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References