Critical Local File Inclusion in Prodigy Commerce WordPress Plugin (CVE‑2026‑0926) Enables Unauthenticated File Access
What Happened — The Prodigy Commerce WordPress plugin (versions ≤ 3.2.9) fails to sanitize the parameters[template_name] parameter in an AJAX call, allowing an unauthenticated attacker to include and read arbitrary files on the web server. Public exploit code on Exploit‑DB demonstrates reading /etc/passwd and any other readable file.
Why It Matters for TPRM —
- LFI can expose configuration files, credentials, and proprietary data, creating a foothold for deeper compromise of a third‑party‑managed site.
- Any organization that outsources its e‑commerce storefront to a vendor using this plugin inherits the same exposure.
- The vulnerability is actively exploitable and has a CVE, raising the urgency for remediation across the supply chain.
Who Is Affected — Retail and e‑commerce sites, digital agencies, and any enterprise that runs WordPress with the Prodigy Commerce plugin installed.
Recommended Actions —
- Verify the plugin version on all managed sites; upgrade immediately to 3.3.0 or later where the issue is patched.
- If an upgrade is not possible, block the vulnerable
admin‑ajax.phpendpoint or apply a web‑application firewall rule that sanitizesparameters[template_name]. - Conduct a file‑integrity scan and review server logs for evidence of LFI attempts.
Technical Notes — The attack vector is an unauthenticated HTTP POST to /wp‑admin/admin‑ajax.php with a crafted parameters[template_name] value. The flaw is classified as a vulnerability exploit (CVE‑2026‑0926) and can lead to confidential file disclosure. Source: https://www.exploit-db.com/exploits/52598