CVE-2026-0926
Published: 19 February 2026
Summary
CVE-2026-0926 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Prodigy Commerce plugin for WordPress is vulnerable to local file inclusion in all versions through 3.3.0. The flaw exists in the handling of the parameters[template_name] argument, which is processed without sufficient path validation in template and shortcode routines, allowing inclusion of arbitrary files on the server.
Unauthenticated attackers can supply crafted values to this parameter over the network to read or execute any PHP file reachable by the web server. Successful exploitation can bypass access controls, disclose sensitive data, or achieve remote code execution when an attacker can first upload a file containing PHP code that is later included.
The referenced WordPress plugin repository changesets and source listings indicate that the issue was addressed in a subsequent update to the plugin, with fixes applied to the template resolution logic in the affected class files. The EPSS score has remained at 0.29 with no material increase observed since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8228
Vulnerability details
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary…
more
files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-0926 is an unauthenticated LFI vulnerability in a public-facing WordPress plugin enabling arbitrary file reads (T1005: Data from Local System) and remote code execution via file inclusion, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the parameters[template_name] input to reject path traversal and arbitrary file references before inclusion occurs.
Mandates prompt application of the vendor patch that corrected the unsafe template resolution logic in the affected class files.
Enforces that only explicitly authorized files may be read or executed by the web server process, blocking the LFI bypass of access controls.