This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Local File Inclusion (LFI) in Prodigy Commerce plugin. <br>π₯ **Consequences**: Attackers can read arbitrary files or execute code on the server.β¦
π‘οΈ **CWE-98**: Improper Control of Filename for Include/Require. <br>π **Flaw**: The `parameters[template_name]` parameter lacks proper sanitization, allowing path traversal.
Q3Who is affected? (Versions/Components)
π¦ **Vendor**: ProdigyCommerce. <br>π **Affected**: WordPress Plugin **Prodigy Commerce** versions **3.2.9 and earlier**. <br>π **Platform**: WordPress sites using this plugin.
π **PoC**: Yes. <br>π **Source**: Nuclei templates available on GitHub (ProjectDiscovery). <br>π **Exploitation**: Remote exploitation is possible via the specific parameter.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for Prodigy Commerce plugin version. <br>π§ͺ **Test**: Use Nuclei template `CVE-2026-0926.yaml`. <br>π **Manual**: Inspect `parameters[template_name]` input for LFI behavior.
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Fix**: Update to version **> 3.2.9**. <br>π **Reference**: Changeset 3464655 in WordPress Trac. <br>β **Status**: Patch available for the vulnerable component.
Q9What if no patch? (Workaround)
π§ **Workaround**: Disable the plugin if not in use. <br>π‘οΈ **WAF**: Block requests containing `parameters[template_name]` with path traversal characters. <br>π **Access Control**: Restrict plugin admin endpoints.