CVE-2026-0926
Published: 19 February 2026
Summary
CVE-2026-0926 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the LFI flaw by updating the Prodigy Commerce plugin beyond version 3.3.0 to apply the available patch.
Requires validation of the 'parameters[template_name]' input to prevent path traversal attacks enabling arbitrary file inclusion and execution.
Facilitates scanning for CVE-2026-0926 in WordPress plugins to identify vulnerable Prodigy Commerce installations prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-0926 is an unauthenticated LFI vulnerability in a public-facing WordPress plugin enabling arbitrary file reads (T1005: Data from Local System) and remote code execution via file inclusion, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary…
more
files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Deeper analysisAI
CVE-2026-0926 is a Local File Inclusion (LFI) vulnerability (CWE-98) in the Prodigy Commerce plugin for WordPress, affecting all versions up to and including 3.3.0. The flaw exists via the 'parameters[template_name]' parameter, which allows improper handling of file paths, enabling attackers to include and potentially execute arbitrary files on the server. With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents a critical risk due to its high impact on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows reading arbitrary files, executing PHP code within included files, bypassing access controls, and obtaining sensitive data. Additionally, if images or other "safe" file types containing PHP code can be uploaded, attackers can achieve remote code execution on the server.
References point to specific code locations in the plugin's source, such as class-prodigy-template.php at line 55 and class-prodigy-public.php at line 491, highlighting the vulnerable template loading logic. A changeset at https://plugins.trac.wordpress.org/changeset/3464655/ indicates a patch has been applied in newer versions, suggesting mitigation through updating the Prodigy Commerce plugin beyond version 3.3.0 via the WordPress plugin repository.
Details
- CWE(s)