Cyber Resilience

CVE-2026-0926

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0940 94.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0926 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Prodigy Commerce plugin for WordPress is vulnerable to local file inclusion in all versions through 3.3.0. The flaw exists in the handling of the parameters[template_name] argument, which is processed without sufficient path validation in template and shortcode routines, allowing inclusion of arbitrary files on the server.

Unauthenticated attackers can supply crafted values to this parameter over the network to read or execute any PHP file reachable by the web server. Successful exploitation can bypass access controls, disclose sensitive data, or achieve remote code execution when an attacker can first upload a file containing PHP code that is later included.

The referenced WordPress plugin repository changesets and source listings indicate that the issue was addressed in a subsequent update to the plugin, with fixes applied to the template resolution logic in the affected class files. The EPSS score has remained at 0.29 with no material increase observed since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary…

more

files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

CVE-2026-0926 is an unauthenticated LFI vulnerability in a public-facing WordPress plugin enabling arbitrary file reads (T1005: Data from Local System) and remote code execution via file inclusion, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60057Shared CWE-98
CVE-2025-58940Shared CWE-98
CVE-2026-22476Shared CWE-98
CVE-2025-67980Shared CWE-98
CVE-2025-69034Shared CWE-98
CVE-2025-58225Shared CWE-98
CVE-2026-22427Shared CWE-98
CVE-2025-69402Shared CWE-98
CVE-2025-64205Shared CWE-98
CVE-2026-28013Shared CWE-98

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the parameters[template_name] input to reject path traversal and arbitrary file references before inclusion occurs.

prevent

Mandates prompt application of the vendor patch that corrected the unsafe template resolution logic in the affected class files.

prevent

Enforces that only explicitly authorized files may be read or executed by the web server process, blocking the LFI bypass of access controls.

References