CVE-2026-0926

Name of the Vulnerable Software and Affected Versions Prodigy Commerce versions prior to 3.2.9

Description The Prodigy Commerce plugin for WordPress is susceptible to a Local File Inclusion issue. This allows unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server. Exploitation of this issue can lead to bypassing access controls, obtaining sensitive data, or achieving code execution. The vulnerability is due to insufficient input validation of the parameters[template name] parameter. This allows attackers to include and execute PHP code within uploaded files.

Recommendations Versions prior to 3.2.9 should be updated. As a temporary workaround, consider disabling the Prodigy Commerce plugin until a fix is available. Monitor file uploads for potentially malicious content.