HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical LFI in Prodigy Commerce WordPress Plugin (CVE‑2026‑0926) Enables Unauthenticated File Access

A local file inclusion flaw (CVE‑2026‑0926) in Prodigy Commerce versions ≤ 3.2.9 lets attackers read arbitrary files via an unauthenticated AJAX call. E‑commerce sites using the plugin face potential data exposure and downstream compromise, demanding immediate remediation.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Critical Local File Inclusion in Prodigy Commerce WordPress Plugin (CVE‑2026‑0926) Enables Unauthenticated File Access

What Happened — The Prodigy Commerce WordPress plugin (versions ≤ 3.2.9) fails to sanitize the parameters[template_name] parameter in an AJAX call, allowing an unauthenticated attacker to include and read arbitrary files on the web server. Public exploit code on Exploit‑DB demonstrates reading /etc/passwd and any other readable file.

Why It Matters for TPRM

  • LFI can expose configuration files, credentials, and proprietary data, creating a foothold for deeper compromise of a third‑party‑managed site.
  • Any organization that outsources its e‑commerce storefront to a vendor using this plugin inherits the same exposure.
  • The vulnerability is actively exploitable and has a CVE, raising the urgency for remediation across the supply chain.

Who Is Affected — Retail and e‑commerce sites, digital agencies, and any enterprise that runs WordPress with the Prodigy Commerce plugin installed.

Recommended Actions

  • Verify the plugin version on all managed sites; upgrade immediately to 3.3.0 or later where the issue is patched.
  • If an upgrade is not possible, block the vulnerable admin‑ajax.php endpoint or apply a web‑application firewall rule that sanitizes parameters[template_name].
  • Conduct a file‑integrity scan and review server logs for evidence of LFI attempts.

Technical Notes — The attack vector is an unauthenticated HTTP POST to /wp‑admin/admin‑ajax.php with a crafted parameters[template_name] value. The flaw is classified as a vulnerability exploit (CVE‑2026‑0926) and can lead to confidential file disclosure. Source: https://www.exploit-db.com/exploits/52598

📰 Original Source
https://www.exploit-db.com/exploits/52598

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →